←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 1 comments | 26 Jul 23 11:30 UTC | HN request time: 0.21s | source
Show context
swayvil ◴[26 Jul 23 18:56 UTC] No.36883023[source]
Why does everything need to be secure now?

I can understand shopping. And reporters of hot news. But why everything?

Why does my http site, which has nothing important on it at all, get flagged by chrome as "insecure"?

This strikes me as a bunch of bs.

replies(4): >>36883301 #>>36885631 #>>36886011 #>>36886406 #
1. cesarb ◴[26 Jul 23 23:08 UTC] No.36886406[source]
> Why does my http site, which has nothing important on it at all, get flagged by chrome as "insecure"?

Because an attacker can inject JavaScript code on it, and use it to attack other sites. The most famous example of that is "Great Cannon", which used a MITM attack on http sites to inject JavaScript code which did a distributed denial of service attack on GitHub. Other possibilities include injecting code which uses a browser vulnerability to install malware on the computer of whoever accesses your site (a "watering hole" attack), without having to invade your site first.