Add MITM guide #39604
Add MITM guide #39604
Conversation
* upstream/main: (40 commits) Add a guide on xs-leaks (mdn#38977) chore: Link to child pages in SVG, URI section (mdn#39470) Correct page title for `Uint8Array.prototype.setFromHex()` (mdn#39494) Bump markdownlint-cli2 from 0.17.2 to 0.18.0 (mdn#39488) Add more documentation for sizes=auto (mdn#39464) css(fix): update 'shape()' page (mdn#39454) Expand Compression Dictionary format description (mdn#39441) Add username/password section to URLs guide (mdn#39487) Fix typos (mdn#39481) CSS: mask-position property description (mdn#39449) Adding @starting-style to CSS nesting at-rules (mdn#39473) feat(aria): Add short titles, format titles for roles (mdn#39472) Fix Circle Collision detection algorithm (mdn#39484) Add warning against using element IDs as global properties. (mdn#39422) Fix typos in web audio spatialization basics (mdn#39476) More Error Messages (mdn#39419) Add links to CSS sidebar (mdn#39445) css: add 'stretch' value examples (mdn#39451) chore: link to unlinked child pages (mdn#39469) Fix typos (mdn#39465) ...
github-actions
bot
added
Content:Security
|
Preview URLs External URLs (5)URL:
(comment last updated: 2025-05-28 21:26:52) |
There was a problem hiding this comment.
This looks good.
I'm no expert, and this covers "what I know".
-
A quick AI query mentions other vectors such as:
- DNS Spoofing/Cache Poisoning: The attacker manipulates DNS resolution, so when a user tries to access a legitimate website, their request is redirected to the attacker's controlled server instead.
- Malware on the Client: Malware can install malicious root certificates, modify browser settings, or directly intercept and manipulate traffic on the client's machine, effectively bypassing many HTTPS protections.
I don't know if those are relevant to mention here.
-
Is there a need for a summary checklist?
-
Is there a need to talk about what the browser always does for you, such as showing the secure icon - or to put it another way, end user best practices. Not advocating - stream of thought review.
I wouldn't have called either of these MITM. Certainly the second, by definition, isn't, is it? |
-> 94cfef9
I'm not sure. This doesn't seem that relevant to web developers. I suppose we could have something in the preamble at https://pr39604.review.mdn.allizom.net/en-US/docs/Web/Security/Attacks/MITM#defenses_against_mitm that if you do serve pages over HTTPS, users will get the padlock. But I'm not sure it's worth it, and I think it distracts a bit from the framing of this as a defense against MITM. TBH I think HTTPS is so widespread now that this whole guide is of limited usefulness. |
Yea, not the second. Maybe the first, but it feels like a different flavour of attack |
Don't bother. |
Co-authored-by: Hamish Willee <hamishwillee@gmail.com>
There was a problem hiding this comment.
Thanks @wbamberg
I'm proposing a tiny suggestion here https://github.com/mdn/content/pull/39604/files#r2108151140 for your consideration.
Also perhaps consider rewording the defense topic headings as defenses
## Defenses against MITM
### TLS configuration
### Securely load subresources
### HSTS when upgrading HTTP requests
Approve though, as these are tweaks.
Co-authored-by: Hamish Willee <hamishwillee@gmail.com>
Thanks! I agree with the general spirit of these heading updates, but chose slightly different wording: 922e36c. I'll let this PR sit for a couple if days and then merge if I don't get any other comments. |
Add a page on Manipulator in the Middle attacks.