Next time somebody complains about how HTTPS is "useless" or some such, send them this:
A target’s web browsing can leave them open to attack without the need for them to click on a specifically-designed malicious link. This approach involves waiting for the target to visit a website that is not fully secured during their normal online activity. Once they click on a link to an unprotected site, NSO Group’s software can access the phone and trigger an infection.
This harkens back to #CitizenLab's amazing report on Malware-in-the-Middle operations, published ~7 years ago:
That is, we've known about this for almost a decade. It's been *made into a product* almost a decade ago.
This is not hypothetical. People are getting malwared (and then, in some cases, killed) because they visited an HTTP-only site.
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!