alt Hacker NewsIt's ridiculous to consider MITM attacks out of scope for taking over your computer. Also, there are probably ways to exploit this without a true MITM like DNS cache poisoning. But it's best to just assume the whole internet is MITMed.
Replies
Why would anyone ever exclude true mitm?
Various domain registrars have been compromised over and over again (often by children!), resulting in companies like Tesla and Cloudflare getting owned.
The reality is that any vaguely competent attacker can compromise a court clerk and just compel e.g. the .com registry to hand over whatever domain they want.
Although I suppose the aforementioned problem has significant implications beyond dns…
Out of scope does not necessarily mean out of impact. It is merely a question of how far a company wants to be responsible for the environment their software is run in. Most of the time that answer is "not much."
But I use a Wi-Fi password, so my phone says it's secure!
MITM where attacker needs to install their own CA certs on the victim's device -- sure, out of scope.
MITM because you used http instead of https and you don't have any other verified cryptographic signature on your data -- get tae fuck, fix it pronto.