Collaborate Disseminate
I am connecting to remote hosts via jump host where I verify only the jump host’s host key, but turn off host key verification for the target hosts.
the ssh command arguments look like this:
-o StrictHostKeyChecking=no -o ProxyCommand=&quo… Continue reading is MITM attack possible when we verify only the jump host’s fingerprint (host key)?
a friend of mine wanted to install MongoDB Community when he encountered a problem. The .msi file downloaded from https://www.mongodb.com/try/download/community was rejected by Windows when he tried to install it
The file that he download… Continue reading Can this be MITM attack?
I’m trying to MITM an Android application but I cannot get it to work properly. Usually, I’m using Burp for those kind of attacks, which allows me to intercept and decrypt HTTPS traffic. (Assuming the certificate is installed on the Androi… Continue reading Man-in-the-Middle Mobile (e.g. Android) Application Tool
I’m in the process of building a kinda odd mechanism to "bypass" authentication. Which of course I know its weird, but many business requirements are weird… So it is a design that derives from business decisions that state that… Continue reading Decoupled authentication flow, very vulnerable to Man in the Middle attacks?
I did some research about how secure and private SMS messages are.
Providers and governments can see these SMS messages in plaintext,
but what is weird is that these messages are not encrypted in transit.
According to my knowledge, that ma… Continue reading Why is SMS used as a way of verifying a user’s mobile, when it is not even encrypted in transit?
Question is for transfer encrypted data between two services (Like HTTP, GRPC or etc…) Can I transfer IV and AuthTag in plain, Is this approach secure?
I have sample code in Node.js and I’m not crypto expert. See the code for more info:
… Continue reading AES-256-GCM transfer IV and AuthTag
Here is the situation I have in hands:
I have a desktop application with my data on it and I need to extract all of it to migrate it to a new application. There are thousands of customer files so doing it manually is really not an option. … Continue reading How to intercept network connection/requests of a desktop app on MacOS [closed]
Assuming I use AWS to host a service with quite sensitive personal data, is it possible to hide traffic and stored data from amazon?
I would assume the answer is no. I think I need to provide all the keys, especially the private SSL-key, t… Continue reading Using AWS: Is it possible to hide the traffic from amazon?
I’ve read other some articles (including this: https://medium.com/@technospace/tls-handshake-under-the-hood-79d20c0020de) and similar questions but none exactly like this hypothetical scenario.
What if there is a "man in the middle&qu… Continue reading What if there is a "man in the middle" between the client and the certification authority and the same MITM is also between Client and server? [duplicate]
Summary
We are running a web site (https only) and have a single bug report from a user that says the site gets warned as "Not secure". The user gets this warning only when accessing it from the Safari browser on an iPhone (iOS 1… Continue reading Site "Not Secure" warning on Safari iOS, only on one device