I fully concur with the observations expressed by various members of the mailing list
regarding security implications of, for example, man-in-the-middle (MITM) scenario type
attacks when offering HTTP traffic (even when just offered in addition to HTTPS traffic).
Take the scenario of malware injected into an MP3 or OGG stream by a MITM attack scenario
as described, for example, in [1]. Albeit the fact this has yet to be observed in the
wild, it takes only one flawed media player in combination with the scenario as described
in the quoted paper (and may this be as a third-party component carrying a zero-day and
not even intended by the author - as the recent log4shell example clearly shows) to wreak
havoc on desktop environments, mobile devices and beyond...
Switching to a HTTPS-only approach eliminates this risk once and for all - a small price
to pay given that even today's mobile / embedded devices carry enough computing power to
address this without much overhead. Given the fact that even legacy devices contain enough
computing power (by offloading crypto-processing to GPUs, for example; [2] dates back more
than ten years; a), I don't see an issue with even older hardware being powerful enough to
support modern encryption used by, say, TLS. More recent FLOSS approaches prove to be even
more powerful [3].
Just my $.02 :-).
Cheers, Chris
(CISSP, CSSLP, CEH)
[1]
https://www.researchgate.net/publication/288646143_Code_Injection_Attacks_on_HTML5-based_Mobile_Apps_Characterization_Detection_and_Mitigation
[2] https://github.com/heipei/engine-cuda
[3] https://github.com/intel/QAT_Engine
--
This email account is monitored seven days a week.
_______________________________________________
Hpr mailing list
Hpr@hackerpublicradio.org
http://hackerpublicradio.org/mailman/listinfo/hpr_hackerpublicradio.org
