1. China Uses Unencrypted Websites to Hijack Browsers in GitHub Attack
2. Ellen Pao’s Statement On Losing The Kleiner Perkins Case: “The Battle Was Worth It”
3. How C-51 undermines privacy (Lisa M. Austin, Benjamin J. Goold, Avner Levin and Andrea Slane)
4. Facebook tracks logged-out users in ‘violation’ of EU law, study says
5. Bell censorship: the status quo can’t endure
jon
Check out the UBC VideoGame Course
Regarding the first article: the thesis seems to be that if more sites (completely aside from the victim site) used HTTPS instead of HTTP, this JavaScript-injection MitM DDoS attack would be more difficult. While that statement is true, there’s one key point of reasoning that the author of the article missed out on.
HTTPS (HTTP using SSL/TLS) relies on the end user’s computer trusting only valid certification authorities (CAs). I won’t go into the technical details here. However, suffice it to say that a computer configured to trust a CA controlled by a malicious player will believe SSL/TLS certificates signed by that CA. That is, if my computer trusts Mallory’s EvilCorp CA, then Mallory can make me believe any old website belongs to, e.g., ScotiaBank, RBC, CBC, etc. — provided that Mallory can intercept the communications between me and, say, the valid and real ScotiaBank website.
So, given (1) a Great Firewall that routes all traffic into and out of the country; and, (2) the ability to configure computers to trust The Great Firewall CA…well, HTTPS doesn’t protected against these MitM attacks very well at all in these circumstances.
To protect against this sort of attack, you really need to Onion Route (e.g., Tor) to an endpoint beyond the Great Firewall before making the final hop to the legitimate site.