Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tlb 3 hours ago

It's ridiculous to consider MITM attacks out of scope for taking over your computer. Also, there are probably ways to exploit this without a true MITM like DNS cache poisoning. But it's best to just assume the whole internet is MITMed.

amiga386 3 hours ago | parent | next [-]

MITM where attacker needs to install their own CA certs on the victim's device -- sure, out of scope.

MITM because you used http instead of https and you don't have any other verified cryptographic signature on your data -- get tae fuck, fix it pronto.

pietervdvn 2 hours ago | parent [-]

I'd even count this as "having local access to the device", as that is what is needed to install such a cert

arcfour an hour ago | parent [-]

I think it's fair to say that requiring local administrative access to the device is out of scope, since you have already completely pwned the device in that case, which is what what you need to install a CA cert on any OSes.

joxdosba 2 hours ago | parent | prev | next [-]

Why would anyone ever exclude true mitm?

Various domain registrars have been compromised over and over again (often by children!), resulting in companies like Tesla and Cloudflare getting owned.

The reality is that any vaguely competent attacker can compromise a court clerk and just compel e.g. the .com registry to hand over whatever domain they want.

Although I suppose the aforementioned problem has significant implications beyond dns…

gruez an hour ago | parent [-]

>Why would anyone ever exclude true mitm?

Same reason security programs exclude social engineering, even though that's a pretty common way for companies to get pwned.

zulln 23 minutes ago | parent [-]

Excluding SE is to make sure people do not spam customer support and launch annoying phishing campaigns. None of that is applicable for local software running on your own computer.

tuckerpo 3 hours ago | parent | prev | next [-]

Out of scope in this case means "we don't wanna pay you"

cogman10 39 minutes ago | parent [-]

Apparently it also means "We don't want to pay our engineers to fix this".

sigmoid10 3 hours ago | parent | prev | next [-]

Out of scope does not necessarily mean out of impact. It is merely a question of how far a company wants to be responsible for the environment their software is run in. Most of the time that answer is "not much."

dlcarrier 3 hours ago | parent | prev [-]

But I use a Wi-Fi password, so my phone says it's secure!