Demo of off-path TCP exploit for Windows 10 Pro:

Windows 10 Pro version 1709

Chrome version 64.0.3282.140

www.cnn.com uses HTTPS but unfortunately not HSTS. When an user types www.cnn.com, its initial request to the main page is still HTTP (for which we can inject a fake reply already). The real server's subsequent redirection to HTTPS will not take effect.