15 comments

[ 2.6 ms ] story [ 58.6 ms ] thread
Good way to make people switch.
Given its previous history of breaking and slowing connectivity in favor of harder blocking of government-critical sites, I'd say they should've done it way before this. The routes through their nets remind me a black hole.
This sort of thing is why I look askance at the "you don't need certificates" crowd. In the US, at least both Comcast and AT&T have a long and well-documented history of injecting advertisements into websites when the lack of a certificate lets them get away with it. Maybe you don't care about eavesdroppers, but you should care about a malicious network tampering with your content in-flight.
Author himself links to articles how said ISP was injecting news ads, since 2020. Current news is about Ukraine, thus must be propaganda.
Therefore pro-war propaganda cannot be referred to as pro-war propaganda? This is bizarre logic. If the ads started showing nootropic propaganda, would you not be allowed to call it nootropic propaganda?
In cryptography there is the clear difference between encrypting and signing (Confidentiality and Integrity). Is this distinction possible on a webserver/browser? I.e. No encryption, no signing -> HTTP Encryption and signing -> HTTPS No encryption, signing -> ? What about public information (not confidential) that needs verification (yes integrity)?
Mobile providers have been doing this crap for ages.

That is why in the past I run my mobile connection through a VPN as much was possible.

FWIW this has nothing to do with pro-war propaganda, just the sketchy behaviour telecoms providers have been doing and still do.

In the early days of 3G USB modems, an ISP I was using would notice JPEGs being downloaded and recompress them with lower quality. I guess they used a transparent HTTP proxy to do so, to save their cellular bandwidth.
How easy is it, in practice, for a nation state level authority to add a root certificate to people's devices?

Adding letsencrypt to my personal server made me realize that if I'm MITM'd by a proxy, the padlock still shows up; merely clicking on it and going down a couple of menu levels (in Chrome "Connection is secure -> Certificate is valid" will reveal that the MITM proxy's root certificate is in use.

If an employer can do this to its laptops, and presumably a cell phone maker to the cell phones it sells, just much protection does https really give you against a nation state level propaganda machine?

Hm, I think you're mixing some things. A nation state could be embedding root certificates via a vendor, see Lenovo superfish (I know this wasn't done by the government, but that somehow makes it even worse). But a nation state actor also could simply buy the latest exploit from HackingTeam/Cellebrite/GrayKey/<current exploit vendor>.

Let's encrypt is secure against MITM as far as I know because you still have to verify you own a given domain somehow. I cannot get a let's encrypt certificate for google.com for example.

Someone has to first import the certificate into you systems trust store. With employers that's usually done by joining their active directory.

If you're not in the active directory, but using your employers proxy, you will see a warning about an untrusted CA on every https site you visit.

Even with HTTPS, are any pinning techniques still viable to warn users the traffic is being, possibly legitimately, MITM-ed?

HPKP was an option, but the footgun reason was given for dropping support. Has anything taken its place? Is there anyway to determine a MITM server-side without relying on x-forwarded-for or via headers?