[quote=afx114]
Not true. Someone in between you and a non-encrypted site can modify the code in any way they see fit, including injecting ads, or worse, malware/keyloggers/etc. Any public wifi is susceptible to this if you’re not viewing encrypted content.[/quote]Yes and no. It requires guessing the random number sequence used in TCP/IP. Some systems create a more ‘guessable’ number than others. On the other had, if it is a true man in the middle (not WiFi) then they can because they catch the packet (preventing it from going to you) then spit out the replacement – copying the sequence from the packet that they caught. Wifi – has to guess and inject sequence numbers because you will receive the valid packet and the injected packets.
That said, non-encrypted on pubic WiFi – means that you are working ‘in the nude’ and all will be seen – not necessarily intercepted and re-written.
[quote=afx114]
How do you know that this or any non-SSL site hasn’t been modified between the data center and your browser? You don’t. Because it’s not encrypted.
Middlemen can’t modify encrypted content, which is why you need SSL even on “public” sites.
SSL certs are basically free now (https://letsencrypt.org/) and all technical arguments against them (take up CPU cycles, browsers don’t support them) are irrelevant on today’s hardware/browsers.
[/quote]
Some computers actually have an AES capable crypto chip on the motherboard. The WiFi indicated was a true ‘man in middle’, vs a WiFi snoop. It can also be done by your ISP… or anyone else in the middle of the line.
If you really need to use a public WiFi, use AddBlock.
NOTE: on a side note, I am noticing that CNN.com is using some weird tracking code that flags as cross-site-scripting… anyone know more about it (before I consider digging)?
