Hacker News new | past | comments | ask | show | jobs | submit login

Back before HTTPS was prevalent, as a proof of concept, I set up a DNS server to redirect Google Analytics domains to an MITM server that added a keylogger and added some HTTP headers to tell it to cache it as long as possible. The result was a keylogger that persisted on most sites (anything with GA), even after I connected to a non-compromised DNS server.

Fortunately this is no longer possible because of HTTPS, but I was able to convince some big sites to switch to HTTPS because of it.

That is pretty sinister actually. Totally something you could do anywhere people get 'free' wifi.

If you look at the second answer (https://security.stackexchange.com/a/214877/12942) it looks like the GA code Goodreads is using specifically will use http:// instead of https:// if the current page is http-only. So that this would still work. There isn't a good reason to get third-party resources via http if https is available, even on non-https pages.

It's not a good reason, but it does avoid scary mixed-content warnings. Your (insecure) connection might not be secure!

How did you get clients to use your DNS server? Was it on a network where you controlled the router, or did you set up a WiFi base station that folks blindly connected to in public, or some other way?

I'm pretty sure you could do it with just ARP spoofing/poisoning (https://en.wikipedia.org/wiki/ARP_spoofing). No need to control any other node on the network.

Yes, I did it on my own network at the router level as a proof-of-concept. I didn't actually use it on other people, but the idea is that a malicious public network operator could do so and effectively install keyloggers on dozens of people per day.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact