Collaborate Disseminate
I have created an authentication API to manage user sessions and the works. To log a user in, the user send their credentials to my API endpoint and it returns “true” or “false” based on their login. I recently received an issue report sta… Continue reading Preventing a Burp and Intercept
A co-worker insists that TLS can’t be configured to insist upon messages encrypted with known keys/cyphers — ie, that plaintext requests will always be accepted. This would leave TLS unable to reject requests from unauthoriz… Continue reading Must TLS also accept unencrypted messages?
A co-worker insists that TLS can’t be configured to insist upon messages encrypted with known keys/cyphers — ie, that plaintext requests will always be accepted. This would leave TLS unable to reject requests from unauthoriz… Continue reading Must TLS also accept unencrypted messages?
I am new in pentesting so I don’t know what to expect.
I am intercepting HTTPS requests of Android apps in my phone through Fiddler for pentesting purposes. I have installed the Fiddler certificate on my Android phone so that… Continue reading Is getting intercept request of HTTPS in clear text is a bug [closed]
This question already has an answer here:
I recently read a somewhat funny article at crimeflair.net, questioning (read: murdering) the way CloudFlare provides SSL. In their words: “CloudFlare’s half-baked SSL: suspicious sockets layer”.
Note: The name crimeflair suggests some kind of propaganda against CloudFlare, and the text, design and images of the site almost make me feel like reading a conspiracy theory. Also the article has quite some unproven theories and assumptions. But…
Local authorities could be sniffing the plaintext available at these data centers, and CloudFlare wouldn’t have a clue.
This made me think about the current way CloudFlare works. CloudFlare is indeed a Man-in-the-Middle, encryption can never be end-to-end because then the CloudFlare CDN/proxy won’t work.
Using CloudFlare’s SSL to add a “free” SSL layer to some simple website of the local bakery (half-baked, got it?) seems to me like little risk. But using this in enterprise solutions with confidential data might be a thing.
It will probably protect the end-user against local network sniffing and spoofing fine! Since the connection from the end-user to CloudFlare is encrypted. But against a government or ISP that can just read the unencrypted connection behind the CloudFlare proxy towards the origin server? Probably not at all.
… it would make no difference whether the origin server has its own certificate.
Recap: CloudFlare might “secure” the availability by their great anti DDoS features but it might be a serious risk for the confidentiality and possibly even integrity of the connection due to the SSL tricks they need to use.
Interesting additional whitepaper: “When HTTPS Meets CDN: A Case of Authentication in Delegated Service” or mirror at ieee.org.
While some of those problems are operational issues only, others are rooted in the fundamental semantic conflict between the end-to-end nature of HTTPS and the man-in-the-middle nature of CDN involving multiple parties in a delegated service.
Question: Is CloudFlare’s SSL half-baked since they become the Man-in-the-Middle (MitM)? And so, should it be discouraged?
This question already has an answer here:
I recently read a somewhat funny article at crimeflair.net, questioning (read: murdering) the way CloudFlare provides SSL. In their words: “CloudFlare’s half-baked SSL: suspicious sockets layer”.
Note: The name crimeflair suggests some kind of propaganda against CloudFlare, and the text, design and images of the site almost make me feel like reading a conspiracy theory. Also the article has quite some unproven theories and assumptions. But…
Local authorities could be sniffing the plaintext available at these data centers, and CloudFlare wouldn’t have a clue.
This made me think about the current way CloudFlare works. CloudFlare is indeed a Man-in-the-Middle, encryption can never be end-to-end because then the CloudFlare CDN/proxy won’t work.
Using CloudFlare’s SSL to add a “free” SSL layer to some simple website of the local bakery (half-baked, got it?) seems to me like little risk. But using this in enterprise solutions with confidential data might be a thing.
It will probably protect the end-user against local network sniffing and spoofing fine! Since the connection from the end-user to CloudFlare is encrypted. But against a government or ISP that can just read the unencrypted connection behind the CloudFlare proxy towards the origin server? Probably not at all.
… it would make no difference whether the origin server has its own certificate.
Recap: CloudFlare might “secure” the availability by their great anti DDoS features but it might be a serious risk for the confidentiality and possibly even integrity of the connection due to the SSL tricks they need to use.
Interesting additional whitepaper: “When HTTPS Meets CDN: A Case of Authentication in Delegated Service” or mirror at ieee.org.
While some of those problems are operational issues only, others are rooted in the fundamental semantic conflict between the end-to-end nature of HTTPS and the man-in-the-middle nature of CDN involving multiple parties in a delegated service.
Question: Is CloudFlare’s SSL half-baked since they become the Man-in-the-Middle (MitM)? And so, should it be discouraged?
Scenario: A test server has a deployed build on there ready for testing, can i use burpsuite/ZAP on my local computer if the server is on the same network? Am i somehow skewing the results and the data i see inside the reques… Continue reading Burpsuite proxy on the same network
Our company connects to an external service through an outdated library (using a PHP extension for an older version of PHP). As this requires us to have a server setup in isolation for this service, I have reached out to the … Continue reading How can I snoop on a mutually authenticated SSL connection?
I’ve recently become a fan of MITM attacks and had some fun hacking by manipulating HTTPS requests and responses in a couple tests.
I did this using mitmproxy and installing the certificate on my phone.
I would like to be a… Continue reading Generic SSL/TSL descryptor tool [on hold]
I’ve recently become a fan of MITM attacks and had some fun hacking by manipulating HTTPS requests and responses in a couple tests.
I did this using mitmproxy and installing the certificate on my phone.
I would like to be a… Continue reading Generic SSL/TSL descryptor tool [on hold]