<html><head></head><body bgcolor="#FFFFFF"><div>I've heard of proof of concept demos for hijacking streams. Basically, the attacker on WiFi responds to the TCP SYN request faster than the web site itself. The example I saw showed people whose HTTP image requests all returned goatse. <br><br>https checks the certificate of the remote site. You could do this for https but the certificate wouldn't match. </div><div><br>Thanks,<div><br></div><div>gopi@iPhone</div><div><br></div></div><div><br>On Feb 16, 2012, at 10:59, Jeffrey Carl Faden <<a href="mailto:jeffreyatw@gmail.com">jeffreyatw@gmail.com</a>> wrote:<br><br></div><div><span></span></div><blockquote type="cite"><div>Are you suggesting that an outgoing HTTP GET request can be hijacked and the information that's returned could be script other than jQuery? I'd be interested in understanding more how that works, and how requesting resources over HTTPS prevents that.<div>
<div><div><br></div><div>Jeffrey<br><br><div class="gmail_quote">On Wed, Feb 15, 2012 at 11:33 PM, Seth David Schoen <span dir="ltr"><<a href="mailto:schoen@loyalty.org">schoen@loyalty.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">Jeffrey Carl Faden writes:<br>
<br>
> Hey dudes,<br>
><br>
> First Frontend Web Development lab meets tomorrow, Thursday at 8pm.<br>
><br>
> If you want to get a head start on the assignment or just think it over, I've uploaded it here:<br>
> <a href="http://jeffreyatw.com/static/frontend/class12/assignment.html" target="_blank">http://jeffreyatw.com/static/frontend/class12/assignment.html</a><br>
<br>
</div>Can you please have your students load jQuery from<br>
<br>
<a href="https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js" target="_blank">https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js</a><br>
<br>
rather than your existing suggestion of<br>
<br>
<a href="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js" target="_blank">http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js</a><br>
<br>
and correspondingly for jQuery Validation? In the existing case a network<br>
attacker can completely pwn their web applications, _even if they're loaded<br>
from localhost or from local HTML instead of from any web server_.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Seth David Schoen <<a href="mailto:schoen@loyalty.org">schoen@loyalty.org</a>> | No haiku patents<br>
<a href="http://www.loyalty.org/~schoen/" target="_blank">http://www.loyalty.org/~schoen/</a> | means I've no incentive to<br>
FD9A6AA28193A9F03D4BF4ADC11B36DC9C7DD150 | -- Don Marti<br>
</font></span></blockquote></div><br></div></div></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Noisebridge-discuss mailing list</span><br><span><a href="mailto:Noisebridge-discuss@lists.noisebridge.net">Noisebridge-discuss@lists.noisebridge.net</a></span><br><span><a href="https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss">https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss</a></span><br></div></blockquote></body></html>