While I agree there is a problem beyond Waze pages, I don't think Waze pages are immune from this MITM attack. After reviewing that last video in its entirety, I now understand that the hack occurs at the point your browser requests the HTTP URL from the target website. Because the initial request is to HTTP, the hack SW will spoof the HTTPS server and pretend to be that HTTPS server before you are redirected to the HTTPS link.voludu2 wrote:The bigger risk to users is probably not links back to waze, but links to google docs, because they involve google logins, which could compromise your google account.
It appears that the waze website uses some mechanism to force attempted http connections to become https, thus preventing the problem on links to waze sites.
Links to other sites, which might be vulnerable to this kind of attack, are the ones that could pose a risk to wiki users.
If you instead start your initial request for HTTPS, then the hack SW is unable to spoof the target HTTPS server and would fail, preventing you from disclosing login credentials.
Re: security risk: http instead of https in pages