The last few months have been a bounty of attacks against non-secure HTTP — things that HTTPS would have prevented. This post is just a collection of links for reference.
- Comcast injecting ads into their customers’ web traffic
- AT&T tracking their users’ browsing habits
- Verizon injecting tracking headers
- Optus handing out customer phone numbers in HTTP headers (a practice known euphemistically as “HTTP header enrichment“)
- Bharti Airtel injecting JavaScript into web pages
- The “Great Cannon of China” knocking Github offline
- An unknown attacker hijacking BGP routes to steal bitcoin [OK, I don’t know if the victims were using HTTP or not, but they clearly weren’t using authentication — they would have been protected if they had used HTTPS.]
- Turk Telecom hijacking Google’s public DNS address space to provide bogus responses for YouTube and Twitter
Ping me at @rlbarnes if you’ve got others!