Sven Schwedas wrote:
On 23.04.21 08:36, Nicky Thomassen wrote:
But there is no need for that on a read-only site like Postfix'. In my
opinion,
anyway.
It's only a read-only site as long as there's no man in the middle
attack injecting malicious code into the connection. There's too few
people who disable things like Javascript by default, and that battle is
well and truly lost as far as the general public is concerned, so we
need defence in depth measures to protect people from their own laziness.
This.
It's not just inserting malicious JS; some of the big US providers have
inserted ads (or overridden a site's existing ad slots, effectively
stealing such revenue as may or may not have been made by the visited
site), and did so at the pure HTML content level. HTTPS at least
protects the end user against their own ISP or any other unethical
fingers with access to the connection path.
Dedicated tin-foil-hat-wearers can no doubt spin off far more sinister
possibilities for this kind of in-flight alteration of web content.
-kgd
