I don't work in networking, but seeing as most traffic is encrypted these days, does passing through unfriendly hardware matter as much as back in the days of plaintext everything? Sure they can drop packets, but they can't tamper/read it, or is there something I'm missing?
> […] but they can't tamper/read it, or is there something I'm missing?
You could redirect traffic temporarily to get a Let's Encrypt (ACME) certificate issued and then use it to pretend to be some important site. Redirect attacks have been done in the past:
> Among all the scams and thievery in the bitcoin economy, one recent hack sets a new bar for brazenness: Stealing an entire chunk of raw internet traffic from more than a dozen internet service providers, then shaking it down for as many bitcoins as possible.
This type of attack is why LE does "Multi-Perspective Validation":
> A potential issue with this process is that if a network attacker can hijack or redirect network traffic along the validation path (for the challenge request, or associated DNS queries), then the attacker can trick a CA into incorrectly issuing a certificate. This is precisely what a research team from Princeton demonstrated can be done with an attack on BGP. Such attacks are rare today, but we are concerned that these attacks will become more numerous in the future.
If you direct a CA's traffic through your server, you can answer the HTTP or DNS queries that prove domain ownership. And lots of people click past warnings because an IT disruption isn't a day off if they can work around it
Russia could easily “convince” a CA based in their country to do them a favour to facilitate MITM. Or just gather the right kompromat needed to convince one overseas.
