Note that if I can spoof an IP address, I can send you bogus DNS replies, and send you to a web server that impersonates Google/Facebook/etc. but does not require HTTPS (unless they use the strict security header). In this case you do not get a warning, just the absence of a tiny green icon.
While I can't get a cert signed for facebook.com (at least not without very expensive bribes or other human factors engineering) but I could get one for faceboolc.com easily enough and if you aren't looking closely that might fool the eye. It wouldn't catch everyone, anyone going direct to https://<site> would be warned as you suggest, but it could catch some out.
"If you have saved your login data on any plain-HTTP site that the attacker knows of, he can use his JS shell in the news site to load the site with the login form in an iframe, then inject another JS shell into the iframe and use that to read the password that the browser fills in."
As far as I know incognito mode wont autofill those saved credentials. I think that was the point how incognito mode prevents this kind of attack.
In this attack the user doesn't have to access those HTTP sites with stored credentials by themselves while being connected to the evil network, because the injected script does that for you behind the scenes.
I've never set it up and was curious what others have done to make it as invisible as possible.
Startup idea! Make a tool that automatically tunnels your connection when you are on a public wifi. Make it open source and offer a hosted service. Also interesting if you are in a country which censors the internet. The dropbox of VPNs. For marketing you offer to write articles like this but less technical for magazines ("on Page 10 learn how easy it is for hackers to steal your facebook account and how you can protect yourself").
I've set up VyprVPN for a couple of ultra-paranoid friends, and the whole process was very smooth and end-user friendly.
There may be similar bits available for Windows, but I haven't looked into it there in some time.
Much easier than setting up a VPN server.
Add the option --proxy-server=127.0.0.1:3128 on you chrome shortcut and that's it.
I know that I would be more likely to contact a site owner asking for https if it screamed at me everytime it happened.
It's time to ditch http for all but rare use cases, because almost 2014.
I admit of having spoofed a Burger King public WiFi and replacing all img-tag sources with Goatse. Priceless reactions everywhere ;)
If you really wanted to take this to the evil next level, you'd just break one (or several) WPA keys on nearby APs and have your rouge injector AP act as both an open AP (to unsuspecting users) and a client (using cracked keys) to other APs, thus avoiding having to actually buy internet access for this spot. You'd essentially just need to find a place to hide and power your evil AP.
Seems like ASICs are measured in the thousands to tens or hundreds of thousands of MHashes/sec. Whereas powerful GPUs drawing ~1000 Watts don't even break 1000MH/sec. High-end laptop GPUs seem to be in the 10s of MH/sec, a quad-core Atom shows 2MH/sec, and the Galaxy SII comes in at 1.3.
The vast majority of devices connecting to public APs are not going to be high-power systems. Not to mention the time they'll spend connected is unlikely to be 24/7. Even if it was, mining will probably drain batteries pretty quickly. Plus power-saving is likely to be on for mobile devices and reduce peak perf. And if it's just injecting JS, then backgrounded tabs should get much less CPU time. And WebGL/etc. are unlikely to be running in background tabs.
If you assume a device stays connected and open for 1/4 a day, and stays for 3 days on average, and gives you 1MH/sec (seems optimistic, all things considered), 1 million devices compromised a month gives you ~$300 a month. If the assumption is that you can persistently own a machine, then you'd need less machines. But that's going beyond simple JS injection on HTML pages.
I used this calculator: http://www.alloscomp.com/bitcoin/calculator
Of course, it also doubles as an IRC idler/whatever else you can think of.
SSH is done through key authentication and there's an OpenVPN server if the network I'm connecting through isn't too locked down.
Next trick is to do IP-over-DNS and I'll be all set where ever I am.
Now if only someone would come out with a USB3-capable board with dual-gigE (I don't mind if it can only push 500Mbit each port)
iodine[1] is a fairly easy way to set that up. I just made a tunnel.mydomain.tld subdomain, pointed the NS records at my VPS and run "iodined 10.0.0.1 tunnel.mydomain.tld"
Really? So would you blindly copy-paste things into your shell? Then I don't need to hijack your connections, I just put malicious pastes on the website.
If you are moron enough to copy-paste the first thing you find, you are probably not reading the other users' warnings about "this answer is wrong".
How many people review the snippet, copy, paste it into a text editor, re-review it, copy it, and then paste it into their shell?
(Tested it with the combination chromium+xterm+vim.)
Still, since when I run GNU/Linux I never pasted a command line from a website into my terminal. This is just reckless. Borderline case, I understand what the example is showing me and then I apply.
