- Jan 27, 2017
Cool, thank you for your insight! Yeah, if https accounted for 75%+ of the traffic, and was the industry standard, then our temporary site would be https as well.
From my understanding, https is subject to BGP hijacking as well, so in the end, it probably does not make a difference anyway, right? I mean, an attacker who is that sophisticated surely will not have an issue either way. And besides, as you mentioned, this type of attack is not exactly stealth.
Any serious attacker probably isn't swayed by SSL, which is why secure systems and compliance audit requirements do not rely on SSL alone, it's always combined with a secondary encryption algorithm like AES256 blobs over SSL.
Aside from the pxfire and nbu redirects ISP's use on HTTP.. Unfortunately for all of us the NSA is performing widespread QI attacks on TCP streams on HTTP, this freaks people out so they demand SSL when possible, especially for security applications. I have documented QuantumSky attacks used against me on my network for example. The injection is done by observing HTTP requests by means of eavesdropping on non-SSL network traffic. When an interesting target is observed, another device, the shooter, is tipped to send a spoofed TCP packet. In order to craft and spoof this packet into the existing session, information about this session has to be known by the shooter. All the information required by the shooter is available in the TCP packet containing the HTTP request.
So yeah, while in general its not a massive issue, the NSA is really into QI attacks in the last few years on a scale much wider than you'd expect. So paranoid folks are paranoid around HTTP.. I really should be more paranoid over HTTP than I am at this point because of the well documented attacks against my network and systems. But all of my sensitive data traverses encrypted blobs within SSL pipes anyway.. So they can see I ordered a Pizza, but they won't see a photo of me eating the pizza I snapped with my camera and put on my cloud drive.