Last week, researchers at Citizen Lab discovered that Sandvine's PacketLogic devices were being used to hijack users' unencrypted internet connections, making yet another case for encrypting the web with HTTPS. In Turkey and Syria, users who were trying to download legitimate applications were instead served malicious software intending to spy on them. In Egypt, these devices injected money-making content into users' web traffic, including advertisements and cryptocurrency mining scripts.
These are all standard machine-in-the-middle attacks, where a computer on the path between your browser and a legitimate web server is able to intercept and modify your traffic data. This can happen if your web connections use HTTP, since data sent over HTTP is unencrypted and can be modified or read by anyone on the network.
The Sandvine middleboxes were doing exactly this. On Türk Telekom’s network, it was reported that when a user attempted to download legitimate applications over HTTP, these devices injected fake "redirect" messages which caused the user’s browser to fetch the file from a different, malicious, site. Users downloading common applications like Avast Antivirus, 7-Zip, Opera, CCleaner, and programs from download.cnet.com had their downloads silently redirected. Telecom Egypt’s Sandvine devices, Citizen Lab noted, were using similar methods to inject money-making content into HTTP connections, by redirecting existing ad links to affiliate advertisements and legitimate javascript files to cryptocurrency mining scripts.
Site operators can mitigate these attacks by using HTTPS instead of HTTP. And as a user, it's easy to see when a web page has been loaded over HTTPS—check for “https” at the beginning of the URL or, on most common browsers, a green lock icon displayed next to the address bar. However, it can still be hard to tell when you're downloading files insecurely. For instance, Avast's website was hosted over HTTPS, but their downloads were not.
Today, Let’s Encrypt and Certbot make it easier than ever to deploy HTTPS websites and to serve content securely. And later this year, Chrome is planning on marking all HTTP sites as “not secure”. Thanks to these collective efforts and many more, almost 80% of web traffic in the U.S. is now encrypted with HTTPS. If you want to be sure you’re browsing securely, EFF’s HTTPS Everywhere browser extension can force your browser to use it wherever possible.
We've come a long way with HTTPS adoption since 2010, when EFF first started pushing tech companies to support it. Evidently, we still have a long way to go.