Collaborate Disseminate
Many schools and workplaces require people using their internet to first install a root certificate, so that web traffic passing through their system can be decrypted and checked.
If someone makes an online purchase while connected to thei… Continue reading Do TLS interceptors that use root certificates to inspect traffic need to worry about PCI? [closed]
Suppose that my certificate authority issues private certificates using the same chain for all of their customers. Does this mean that a malicious actor who happens to be another one of their customers can easily perform an MiTM without a … Continue reading Are my internal systems susceptible to MitM if the root/chain is shared amongst all customers?
I understand that corporate companies can/do decrypt employee SSL/HTTPs traffic because the company owned device has a company owned SSL certifiate.
I thought the first certificate would encrypt the data and only the last one could decrypt… Continue reading How exactly do corporate companies decrypt employee SSL/HTTPS traffic on company owned corporate devices? [duplicate]
Recently, I read news about Facebook acquired the Onavo VPN company to monitor Snapchat users’ traffic. It seems they executed a Man-in-the-Middle attack by replacing the certificate. But could they have executed the same attack if Snapcha… Continue reading Can a VPN company perform a MiTM attack if SSL Pinning is in place?
A brief schema of a TLS intercepting proxy – the Client connects to the Host via the Proxy in a way which allows the Proxy to perform a (consensual) MITM.
[Client] -> [Proxy] -> [Host]
It’s my understanding reading references on… Continue reading Does TLS interception necessarily require a self-signed certificate? Please explain why
In TLS we have such an extension as EMS (extended master secret).
It has been applied to protect the master secret. But I don’t understand how it helps against triple handshake attack.
I assume that attacker can use two master secrets (one… Continue reading Triple handshake (TLS) EMS protection against attacks
How does HTTP Debugger similar to Burp and Fiddler work without a proxy? Is there any other program to intercept http(s) without using a proxy? I would like to examine it.
For example, let’s say my backend address is api.xyz.com, and I have a mobile application. This application sends requests to api.xyz.com. The application employs SSL pinning, where it pins the certificate it easily obtained from api.xyz.c… Continue reading How can I enhance the security of SSL pinning in my mobile app to prevent certificate exposure?
NordVPN popped up with
"Couldn’t establish a secure connection." "We couldn’t validate this
TLS certificate and ensure a secure connection required for NordVPN to
run. It looks like your internet traffic might be intercepte… Continue reading Couldn’t establish a secure connection
Someone asked regarding wifi yesterday but can’t find the post anymore.
When connecting to corporate wifi with my personal iPhone for first time, I am asked to trust a "Root CA". However, I do not see the certificate under "… Continue reading Connect to corporate wifi with personal phone – decrypt https?