Comment

Comment on South Korean telecom company attacks torrent users with malware

LainTrain@lemmy.dbzer0.com ⁨1⁩ ⁨week⁩ ago

I think it’s much simpler than that.

Webhard is Web Hard Drives - SK torrenting scene is very different from the west, to simplify basically everyone uses seedboxes or “web hard drives” in SK to download stuff.

While I can’t seem to find out anything about what “The Grid system” is, if the whole thing is an online portal or software. If ISP routers are anything like the west that means they control the DNS servers and the ones on router cannot be changed, and likely it blocks 1.1.1.1 and 8.8.8.8 and so on, as Virgin Media does in the UK for example, which definitely opens up a massive attack vector for an ISP to spin up its own website with a verified cert

source

Sort:hotnew top

tal@lemmy.today ⁨1⁩ ⁨week⁩ ago

If ISP routers are anything like the west that means they control the DNS servers and the ones on router cannot be changed, and likely it blocks 1.1.1.1 and 8.8.8.8 and so on, as Virgin Media does (along with blocking secure DNS) in the UK for example, which definitely opens up a massive attack vector for an ISP to spin up its own website with a verified cert and malware and have the DNS resolve to that when users try to access it to either download the software needed to access this Grid System or if it’s a web portal - the portal itself.

Browser page integrity – if you’re using https – doesn’t rely on DNS responses.

If I go to “foobar.com”, there has to be a valid cert for “foobar.com”. My ISP can’t get a valid cert for foobar.com unless it has a way to insert its own CA into my browser’s list of trusted CAs (which is what some business IT departments do so that they cans snoop on traffic, but an ISP probably won’t be able to do, since they don’t have access to your computer) or has access to a trusted CA’s key, as per above.

source
- LainTrain@lemmy.dbzer0.com ⁨1⁩ ⁨week⁩ ago
  
  or has access to a trusted CA’s key, as per above.
  
  I don’t see why they wouldn’t, or couldn’t do this if they wanted to if they were also willing to straight up resort to spreading malware, which idk about SK but that’s illegal anywhere in the west under very broad laws.
  
  source
  - tal@lemmy.today ⁨1⁩ ⁨week⁩ ago
    
    I don’t see why they wouldn’t, or couldn’t do this
    
    There are only 52 organizations that Firefox trusts to act as CAs. An ISP isn’t normally going to be on there.
    
    wiki.mozilla.org/CA/Included_Certificates
    
    …salesforce-sites.com/…/CACertificatesInFirefoxRe…
    
    If whatever cert is presented by a remote website doesn’t have a certificate signed by one of those 52 organizations, your browser is going to throw up a warning page instead of showing content. KT Corporation, the ISP in question, isn’t one of those organizations.
    
    source
    LainTrain@lemmy.dbzer0.com ⁨1⁩ ⁨week⁩ ago
    That’s not what I mean.
    
    For example: If I, and ISP in Beijing went to BEIJING CERTIFICATE AUTHORITY Co., Ltd. which is on the list, and had my cert issued by them for foobar.com that listed them as the root trust, wouldn’t that work? Because the service operating there currently is illegal and I need to take it down, i don’t see how or why they could refuse.
    
    This is the only way I can see governments being able to display blocked website notices, takedown notices and other MITM insertions demonstrably happening in all sorts of countries without triggering a “back to safety” warning in most browsers.
    
    source
    -> View More Comments