Skip to content

Unencrypted connections do mean injection

Noted by on his .

My previous response to similar concerns is relevant. To elaborate:

If nothing prevents bad behavior from an ISP, and it has happened before, then you should assume it’s happening. This extends to injecting JavaScript apps into insecure connections.

Unless you trust every hop from your browser to the destination server (and back), assume anything unencrypted can and will be inspected (and potentially tampered with). Encrypt everything you can.