• 11 Posts
  • 609 Comments
Joined 1 year ago
cake
Cake day: July 5th, 2023

help-circle


  • Avid Amoeba@lemmy.catoTechnology@lemmy.worldWhat the hell Proton!
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    2 days ago

    The OS interfaces provided to apps (generally POSIX) have no idea what HTTP is. They’re much lower level than that. If an OS is to control what protocols are used by apps, it has to offer some functionality that does HTTP for the apps and apps have to use it. Unfortunately the only way to force that would be to disable the general OS interfaces so that apps can’t just use existing libraries that use those. If you did that your OS would become useless in other ways that rely on the basic interfaces.

    The other way the OS could do anything about it is to inspect network traffic going over its network interfaces. That would be a significantly different can of worms and it’s not free in terms of processing power and therefore battery. Then you’d have the screams of privacy people that Android or iOS is looking at all network traffic.

    So all in all, the OS isn’t very well suited to police application level protocols like HTTP. At least not on devices whose primary purpose isn’t network traffic related.



  • Apps don’t use the system browser to connect to REST endpoints. Neither do they use the OS. Apps typically use a statically linked library. There are use cases for HTTP-only connections so it’s unlikely that those libraries would mess with forcing or even warning its users that they’ve used HTTP instead of HTTPS. Point is Google and Apple can do little in this regard. Unless they scan apps’ source code which could be possible to some extent but still difficult because URLs are often written in pieces.


  • Avid Amoeba@lemmy.catoTechnology@lemmy.worldWhat the hell Proton!
    link
    fedilink
    English
    arrow-up
    74
    arrow-down
    2
    ·
    edit-2
    2 days ago

    Yup. You can grab any unencrypted data passed between the user’s browser and a server literally out of thin air when they’re connected to an open access point. You sit happily at the Starbucks with your laptop, sniffing them WiFi packets and grabbing things off of them.

    Oh and you have no idea what the myriad of apps you’re using are connecting to and whether that endpoint is encrypted. Do not underestimate the ability of firms to produce software at the absolute lowest cost with corners and walls missing.

    If I was someone who was to make money off of scamming people, one thing I’d have tried to do is to rig portable sniffers at public locations with large foot traffic and open WiFi like train stations, airports, etc. Throw em around then filter for interesting stuff. Oh here’s some personal info. Oh there’s a session token for some app. Let me see what else I can get from that app for that person.







  • To add a concrete example to this, I worked at a bank during a migration from a VMware operated private cloud (own data center) to OpenStack. In several years, the OpenStack cloud got designed, operationalised, tested and ready for production. In the following years some workloads moved to OpenStack. Most didn’t. 6 years after the beginning of the whole hullabaloo the bank cancelled the migration program and decided they’ll keep the VMware infrastructure intact and upgrade it. They began phasing out OpenStack. If you’re in North America, you know this bank. Broadcom can probably extract 1000% price increase and still run that DC in a decade.