That sounds like altering existing content by adding new content btw.

nitrogen · on June 29, 2015

Yes, a MITM can do that.

jessaustin · on June 29, 2015

And could still do the exact same thing if they had TLS: get the page, add crap, and serve the result (albeit without TLS).

3pt14159 · on June 29, 2015

You know, I've never really realized that before. It's actually a pretty huge security hole for average users, no? There should be a way to explicitly forbid non-encrypted connections on a DNS level.

lfowles · on June 29, 2015

That's roughly the purpose of HSTS, but you need to have visited the site at least once first (or in the case of popular sites, HSTS status of a site is shipped with the browser.)

schoen · on June 29, 2015

People who are encountering this for the first time might want to look at

http://www.thoughtcrime.org/software/sslstrip/

for some of the motivation!

vacri · on June 30, 2015

A technical user could reasonably be expected to look for https before downloading 'preview build' or something equally payload-ey.

Then sigh and download PuTTY anyway...