Hi, I've read the Intercept's writeup[1], and read through Citizen Lab's writeup[2]. I'm having trouble understanding the attack surface, and how widely applicable the vulnerability is. Are MS and Google targeted because of their ubiquity, or is there also something (besides not using HTTPS) that they did to make their services vulnerable? How can there be a remote code vulnerability so low in the stack that it can be injected at the packet level, but high enough that TLS encryption foils the attack? Does this affect Windows only? Through particular browsers? I'm certainly up for using this as an argument for how difficult it is to predict the severity and creativity of MITM attacks, but I would like to better understand the magnitude of the disclosure. Thanks, Eric [1] https://firstlook.org/theintercept/2014/08/15/cat-video-hack/ [2] https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/ -- https://konklone.com | https://twitter.com/konklone