Collaborate Disseminate
Recently, I read news about Facebook acquired the Onavo VPN company to monitor Snapchat users’ traffic. It seems they executed a Man-in-the-Middle attack by replacing the certificate. But could they have executed the same attack if Snapcha… Continue reading Can a VPN company perform a MiTM attack if SSL Pinning is in place?
A brief schema of a TLS intercepting proxy – the Client connects to the Host via the Proxy in a way which allows the Proxy to perform a (consensual) MITM.
[Client] -> [Proxy] -> [Host]
It’s my understanding reading references on… Continue reading Does TLS interception necessarily require a self-signed certificate? Please explain why
In TLS we have such an extension as EMS (extended master secret).
It has been applied to protect the master secret. But I don’t understand how it helps against triple handshake attack.
I assume that attacker can use two master secrets (one… Continue reading Triple handshake (TLS) EMS protection against attacks
How does HTTP Debugger similar to Burp and Fiddler work without a proxy? Is there any other program to intercept http(s) without using a proxy? I would like to examine it.
For example, let’s say my backend address is api.xyz.com, and I have a mobile application. This application sends requests to api.xyz.com. The application employs SSL pinning, where it pins the certificate it easily obtained from api.xyz.c… Continue reading How can I enhance the security of SSL pinning in my mobile app to prevent certificate exposure?
NordVPN popped up with
"Couldn’t establish a secure connection." "We couldn’t validate this
TLS certificate and ensure a secure connection required for NordVPN to
run. It looks like your internet traffic might be intercepte… Continue reading Couldn’t establish a secure connection
Someone asked regarding wifi yesterday but can’t find the post anymore.
When connecting to corporate wifi with my personal iPhone for first time, I am asked to trust a "Root CA". However, I do not see the certificate under "… Continue reading Connect to corporate wifi with personal phone – decrypt https?
I have a desktop application on Windows that connects to a server which I don’t have access to. I want to reverse engineer an API for personal use so I can connect from a custom interface instead of using the official application.
Using Wi… Continue reading Decrypting TLS traffic from windows desktop application [closed]
I tried to capture the send-out traffic of the Android app (Google Drive, Facebook, etc.). This is my security thesis.
I succeed capture send-out traffic on the Google Drive app with Mitmproxy but with Facebook and Messenger, I can’t.
I ha… Continue reading SSL issue captures Facebook app send out traffic
Imagine the following imaginary scenarios:
In order to browse the Internet, users must go through a central web proxy. It is authenticated and can enforce rules about who can access which URLs or which file types are okay to download. At … Continue reading Central Web Proxy vs Endpoint Protection