← Back to context

Comment by drpossum

6 months ago

The case here was just injecting a domain. There's another thread for this post pointing out you would also need to inject a malicious root cert for https traffic, which is correct, but not impossible (and given some bad/lazy practices I've seen places do when they sign their own certs for internal infrastructure, not a far stretch)

If they can do that, they can spoof or proxy any website and collect your passwords, auth cookies, and anything else sent over the network. At that point, who cares if they can also see how much CPU you're using?

  • I've unlearned over my years that trying to come up with what malicious actors can do under what scenarios and conditions isn't worth the effort, because they are many, know more than me, have different goals than me, and I am one. There's endless permutations of environments and additional weakness or scenarios or a particular sensitivity of information that you don't or can't consider that make some attack really painful. For this case, maybe CPU usage or aggregate changes in CPU usage tips off an attacker on what someone is ramping up internally that can be used for espionage or even timing attacks.

    What I have learned in place of that is plug holes to minimize attack vectors.