unless you accepted an invalid https certified popup, its not possible, even on public wifi.
or maybe you still type: http:// instead of https://, and then is easy to fake a dns response to point to a clone site
Ironically because MITM attacks for corporate security are that common, a lot of developer tools are configured to just ignore TLS checks instead of importing the correct root certificate.
In case of an unsecured WiFi connection this is of course much more dangerous even.
There are whole swathes of developers these days who don't even know what a network stack is, much less understand how HTTPS works. I expect these people were gumming up the bug trackers so they dumbed down the dev tools.
Fwiw, though, when I used Python behind a corporate proxy some 5-6 years ago nothing was configured to ignore the HTTPS warnings.
I think developers are especially at risk, because we all think we know the risks and can manage them better... yeah, right lol.
It's like how doctors and nurses are notoriously bad at getting their own health checkups. They're experts, they know better!
Pfft. How many of us actually spend time (and have the knowledge for) auditing the security of our OS, cert chains, HTTPS setup, etc.? I've seen experienced senior devs share private keys over Slack for the whole team to reuse, manually disable HTTPS checks with a comment like "too much trouble", etc. It's pretty scary.
I was amused by a prompt I received from Android Studio, requesting permissions to turn off anti-virus scanning for development directories. Which, of course, speeds up compile time dramatically (4 or 5x faster? A seriously non-trivial amount). Development directories, and SDK directories (including SDK binaries).
No more anti-virus protection for the directories that you as a developer should be most concerned about. What could possibly go wrong?
I'd be more concerned if I hadn't already done that, I suppose. Because compiles run so much faster when you do. But I was amused, nonetheless. :-/
