What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code. In terms of defending against the sort of attack, Pitts suggested that encrypted download channels are the best option, both for users and site operators. "SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted," he said via email.
- Sell user-specific data to a third party
- Enter into an agreement to display paid advertising on behalf of a third party; and
- In the event of an acquisition or asset transfer, the Company shall require any acquiring entity to adopt these requirements with respect to the operation of Ello or its assets.
While that might turn off some potential revenue flows (the company says it will make money by selling optional features), as the linked article points out, it hasn't turned off investors; Ello has now raised $5.5 million from investors.