undefined | Better HN

0 pointscjbprime1y ago0 comments

A request to a bank that doesn't use TLS would be near-criminal negligence (by the bank) in itself.

If the request does use TLS, then even a compromised router should be unable to decrypt it. TLS is end-to-end encryption.

If the request doesn't use TLS, then the compromised router can already see the request and response that it is relaying. So why does it have to replay the request from somewhere else? It can just exfiltrate the session back to the attacker silently, without replaying it first.

If I had to guess, the attacker isn't sure what they're looking for in the HTTP sessions, so they can't push a detection for interesting sessions down to the compromised routers, and they also don't have the bandwidth to simply receive all unencrypted traffic from their router botnet, so instead they're collecting the URLs and building up a list of detection patterns over time through scanning and using heuristics for which requests are worth investigating, something like that?

0 comments

8organicbits1y ago

That's a good guess.

Test systems often don't use HTTPS. Test systems often have credentials that work in production (even though they shouldn't), or are useful for finding vulnerabilities in production.

j / k navigate · click thread line to collapse