
Peinjector: MITM PE file infector - geographomics
https://github.com/JonDoNym/peinjector
======
redwards510
Doing some testing of my own using BDFProxy opened my eyes as to what large
sites are using http vs https for downloading files. If your primary reason
for existing is providing binaries for download, you have no excuse for
serving them up over http. I'm looking at you SourceForge.

------
Osiris
Here's another good reason to encrypt everything. With letsencrypt.org coming
online soon, maybe browsers can start providing warnings to users that try to
download files from regular HTTP connections; though that wouldn't prevent
this problem if the originating website itself is nefarious.

~~~
JoshTriplett
It'll take a while, but this does remove the last excuse sites might have for
not encrypting _everything_.

I'm hopeful that in the next decade any use of unencrypted HTTP will become
suspect, such that browsers can start showing unencrypted HTTP as explicitly
insecure, rather than just as the absence of signs of security. But it'll take
many years to get to that point.

------
s1lver
Anyone with a key for a root cert in your trusted list could apply this to
https as well I betcha. Lenovo comes to mind.

