<div dir="ltr">Hi,<div><br></div><div>I've read the Intercept's writeup[1], and read through Citizen Lab's writeup[2]. I'm having trouble understanding the attack surface, and how widely applicable the vulnerability is.</div>

<div><br></div><div>Are MS and Google targeted because of their ubiquity, or is there also something (besides not using HTTPS) that they did to make their services vulnerable?</div><div><br></div><div>How can there be a remote code vulnerability so low in the stack that it can be injected at the packet level, but high enough that TLS encryption foils the attack?</div>

<div><br></div><div>Does this affect Windows only? Through particular browsers?</div><div><br></div><div>I'm certainly up for using this as an argument for how difficult it is to predict the severity and creativity of MITM attacks, but I would like to better understand the magnitude of the disclosure.</div>

<div><br></div><div>Thanks,</div><div>Eric</div><div><br></div><div>[1] <a href="https://firstlook.org/theintercept/2014/08/15/cat-video-hack/">https://firstlook.org/theintercept/2014/08/15/cat-video-hack/</a></div><div>
[2] <a href="https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/">https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/</a><br clear="all">
<div><br></div>-- <br><div dir="ltr"><div><a href="https://konklone.com">https://konklone.com</a> | <a href="https://twitter.com/konklone">https://twitter.com/konklone</a><br></div></div>
</div></div>