Who can eavesdrop on a user's HTTP traffic?
Solution 1:
Easy - just follow the cable from your PC to the server.
This is maybe specific to Austria, but it probably looks similar all over the world.
let's assume we've got an DSL user:
- PC -> Ethernet -> Modem
Anybody with access to the local infrastructure can sniff the traffic
- Modem -> 2-wire-Copper -> DSLAM
Anybody with access to the copper infrastructure and equipment which is able to decode the data can eavesdrop. Most of this wiring is relatively unprotected and easy to access if you know where to look, but to actually decode the data you'd probably need some very specific equipment.
- DSLAM -> ISP infrastructure -> ISP core routers
Most DSLAMs are connected via Fibre to some sort of Fibre Ring/MAN to routers of the ISP.
There have been stories in Germany where supposedly three-letter-agencies from the U.S. of A eavesdropped on traffic of a Metropolitan Area Network. There are off-the-shelf devices which can do this, you just need the right budget, intent and knowledge of the local infrastructure.
- ISP core routers -> BGP -> Target AS
Given that the destination server is not in the same Autonomous System as the user is, the traffic has to be sent over the "Internet". If you're going over the Internet, to use a quote from Snatch, "All Bets Are Off". There are so many nooks and crannies were a malicious operators could attach themselves, that you're best assuming that all your traffic is going to be read.
The DHS (or maybe some other agency) actively eavesdropped on backbone infrastructure in the USA on this level.
- Target AS Border router -> ISP infrastructure -> Housing Center
See above.
- Housing Center Router -> Switches -> Server
This is how quite a few sites were already attacked. Ethernet offers no protection for hosts which are in the same (V)LAN/broadcast domain, so any host can try ARP spoofing/poisoning to impersonate another server. This means that all traffic for a given server can be tunneled through a machine in the same (V)LAN.
Solution 2:
On a switched LAN (like most Ethernet networks), you can use ARP cache poisoning to, in many cases, eavesedrop on such traffic. Basically, you can fake the client computer out and make it think that your eavesdropping station is the router off the LAN.
On shared-media LANs-- i.e. non-switched, like wireless Ethernet w/o encryption or w/ broken encryption-- you don't even need to do that. Just listen!
At the ISP, and the ISP's ISP, and the ISP's ISP's ISP... etc, an attacker would only need to sniff the traffic. Any point in the path the traffic flows thru is subject to potential eavesdropping. There are LANs in between there, too, so there's always the possibility of eavesdropping by ARP cache poisoning, etc.
Finally, at the far end there will be another LAN, just as susceptible to eavesdropping as the source LAN.
J. Random idiot who knows your IP address isn't going to be eavesdropping on your traffic without hacking something along the way, or diverting the traffic flow from its normal path to them.
Yeah-- cleartext is bad.