Next time somebody complains about how HTTPS is "useless" or some such, send them this:

A target’s web browsing can leave them open to attack without the need for them to click on a specifically-designed malicious link. This approach involves waiting for the target to visit a website that is not fully secured during their normal online activity. Once they click on a link to an unprotected site, NSO Group’s software can access the phone and trigger an infection.

· · Web · 1 · 17 · 4

This harkens back to 's amazing report on Malware-in-the-Middle operations, published ~7 years ago:

That is, we've known about this for almost a decade. It's been *made into a product* almost a decade ago.

This is not hypothetical. People are getting malwared (and then, in some cases, killed[1]) because they visited an HTTP-only site.


Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!