Comment

Comment on South Korean telecom company attacks torrent users with malware

tal@lemmy.today ⁨4⁩ ⁨months⁩ ago

If ISP routers are anything like the west that means they control the DNS servers and the ones on router cannot be changed, and likely it blocks 1.1.1.1 and 8.8.8.8 and so on, as Virgin Media does (along with blocking secure DNS) in the UK for example, which definitely opens up a massive attack vector for an ISP to spin up its own website with a verified cert and malware and have the DNS resolve to that when users try to access it to either download the software needed to access this Grid System or if it’s a web portal - the portal itself.

Browser page integrity – if you’re using https – doesn’t rely on DNS responses.

If I go to “foobar.com”, there has to be a valid cert for “foobar.com”. My ISP can’t get a valid cert for foobar.com unless it has a way to insert its own CA into my browser’s list of trusted CAs (which is what some business IT departments do so that they cans snoop on traffic, but an ISP probably won’t be able to do, since they don’t have access to your computer) or has access to a trusted CA’s key, as per above.

source

Sort:hotnew top

LainTrain@lemmy.dbzer0.com ⁨4⁩ ⁨months⁩ ago

or has access to a trusted CA’s key, as per above.

I don’t see why they wouldn’t, or couldn’t do this if they wanted to if they were also willing to straight up resort to spreading malware, which idk about SK but that’s illegal anywhere in the west under very broad laws.

source
- tal@lemmy.today ⁨4⁩ ⁨months⁩ ago
  
  I don’t see why they wouldn’t, or couldn’t do this
  
  There are only 52 organizations that Firefox trusts to act as CAs. An ISP isn’t normally going to be on there.
  
  wiki.mozilla.org/CA/Included_Certificates
  
  …salesforce-sites.com/…/CACertificatesInFirefoxRe…
  
  If whatever cert is presented by a remote website doesn’t have a certificate signed by one of those 52 organizations, your browser is going to throw up a warning page instead of showing content. KT Corporation, the ISP in question, isn’t one of those organizations.
  
  source
  - LainTrain@lemmy.dbzer0.com ⁨4⁩ ⁨months⁩ ago
    That’s not what I mean.
    
    For example: If I, and ISP in Beijing went to BEIJING CERTIFICATE AUTHORITY Co., Ltd. which is on the list, and had my cert issued by them for foobar.com that listed them as the root trust, wouldn’t that work? Because the service operating there currently is illegal and I need to take it down, i don’t see how or why they could refuse.
    
    This is the only way I can see governments being able to display blocked website notices, takedown notices and other MITM insertions demonstrably happening in all sorts of countries without triggering a “back to safety” warning in most browsers.
    
    source
    Zeoic@lemmy.world ⁨4⁩ ⁨months⁩ ago
    Well for one, ISPs are not the government, and two, if any CA was caught doing this, browsers like firefox would drop them. Hopefully google would too, but who knows. Thats an aweful lot of risk on their part.
    
    source
    -> View More Comments