@jbauer please reconsider, HTTP is an attack vector for #Pegasus, among others:
A target’s web browsing can leave them open to attack without the need for them to click on a specifically-designed malicious link. This approach involves waiting for the target to visit a website that is not fully secured during their normal online activity. Once they click on a link to an unprotected site, NSO Group’s software can access the phone and trigger an infection.
@jbauer absolutely. I am as furious and frustrated by this as anyone.
I want old tech to continue just working. I want things to not become obsolete for silly reasons.
But I also want journalists and activists not to be pwned by people who want to physically hurt them, and if the price for that is running HTTPS and making some old tech obsolete... well, I'll take it.
@email@example.com @firstname.lastname@example.org like what I'm thinking is that you'd have an HTTPS to HTTP proxy inside the same internal network that the old device is connected to. The proxy would live on some server on the same network like a spare Raspberry Pi.
Obviously not as convenient as having a direct connection, but it could work...
@th For a better view on the modern web, you can also use tenox' wrp (not really a proxy, more a re-rendering web server) or WebOne (which has an actual http proxy mode). Either needs a relatively beefy machine to run on though.
@norm You still have a number of issues.
The proxy itself needs to be trusted.
If it's a passthrough proxy, rather than a caching proxy, intercept and modification can still occur.
As does spefic malware checking.
Sadlly, the age of open unencrypted protocols passed. Several decades ago.
The proxy itself needs to be trusted.My solution is to have it on a local network that you control as mentioned in my other posts.
If it's a passthrough proxy, rather than a caching proxy, intercept and modification can still occur.Modification could be useful in some cases, like allowing a page to render correctly, which is useful on old system without support for the latest standards.
@norm What are the benefits of a proxy that is directly traceable to you?
The benefits of HTTPS are:
Server authenticity is asserted.
Contents integrity is asserted.
Specific request(s) and content(s) are encrypted against third-party observation.
Specific request(s) and content(s) are encrypted against third-party injection.
Additionally, a redirect proxy (VPN or Tor for example) can obscure what clients are making what requests of a host, providing further protections against surveillance. (Vulnerable to timing-based observations, but increasing surveillance costs considerably.)
A locally-hosted proxy ... does none of this.
What possible benefits do you see?
@jbauer and we've known HTTP connections are abused this way at least since 2014:
In other words, *any* HTTP website or resource is a viable vector for malicious actors to use to inject malware. It has been done, and is being done, and will continue to be done.
This is of course your decision. But as a person who works with people potentially targeted... please, reconsider.
HTTPS Everywhere is, er, ambitiously named: it can't use HTTPS with sites that don't support it.
As basic security, everyone should use at least one form of content-blocking at all times: uBlock Origin, Blokada, Pi-Hole, TrackerControl, etc. And don't just install them, but understand what they do, keep them updated, and make sure they're configured properly. Some blocklists specifically target Pegasus domains:
@Seirdy whoa, thanks for the deep-ish dive! Hadn't thought about CSP reporting as a means to identify extensions.
> HTTPS Everywhere is, er, ambitiously named: it can't use HTTPS with sites that don't support it.
I think OP said *also* HTTP. HTTPS should definitely be an available option for all sites
> As basic security, everyone should use at least one form of content-blocking at all times: uBlock Origin, Blokada, Pi-Hole, TrackerControl, etc.
Say I want to Malware-in-the-Middle you. I find a site that offers content on both HTTPS and HTTP, *block* HTTPS, but let you use HTTP. If there is no HSTS, I get a nice, cleartext request to intercept and inject with my malware.
Now I need you to click such a link (which might not be hard if it's a nice blog), and mission accomplished.
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!