Collaborate Disseminate
"Full SSL Inspection is the ability to view encrypted Internet packets
(HTTPS traffic) on our school network. For security reasons, many
popular websites such as Google, YouTube and Facebook encrypt their
traffic to hide confidential… Continue reading Is there a way to bypass my school’s full SSL inspection? [closed]
I’m a pentester and this is my first question here. I’ve managed to circumvent the ssl certificate pinning implementation on a few mobile apps.
Frankly, the applications I test are critical bank applications and I can listen to the traffic… Continue reading Is SSL pinning bypass considered a vulnerability? If yes, what are the tightening/solution suggestions?
Recently started turning my phone on airplane mode and it got me curious. Airplane mode is supposed to turn off all radio signals. So, I won’t be able to receive or send messages (emails aswell, and so on). Once airplane mode is turned off… Continue reading Can messages be intercepted when in airplane mode?
When an app is not end-to-end encrypted then the app should be open to TLS interception (MITM attacks) from the local network. But for TLS interception to be performed, does that have to be automatically done by the system at the time the … Continue reading How to tell when your Android app is being TLS-Intercepted [closed]
I remember seeing comments saying that the financial industry wants to retain TLS 1.2, or some of its features – most notably the ability for a middlebox in a trusted setting to record the communication, if I recall correctly.
IETF had a d… Continue reading Has financial industry’s concerns with regard to TLS 1.3 been addressed? [closed]
I’m checking connections that traffic data in plain text, example: **http://**site.com
but I’d like to check with some script.
Does anyone know any scripts or how I can use openssl to find out if a website has a secure connection?
I don’t … Continue reading Check insecure connection with script
I was checking some things with the (Chromium) inspect tool and I saw that if you go to the ‘Network’ section the IP address wasn’t the actual DNS A (IPv4) or AAAA (IPv6) IP address but the Proxy IP address of the VPN company I’m using.
Si… Continue reading Can a HTTP proxy see HTTPS traffic?
I recently visited a website which was, well, hacked. The attacker was clearly able to modify the content of front page by adding his own text, images and JavaScript. I know this can be done in various ways by modifying the database record… Continue reading How can attacker disable compromised website’s SSL/TLS enforcement? [closed]
Encrypted Client Hello hides Server Name Indication (SNI). However, looking at the TLS Handshake (https://tls12.ulfheim.net/). Wouldn’t it be possible for a middle-man to inspect the TLS Handshake and sniff ServerHello to see the x509 cert… Continue reading x509 certificates are still exposed even with Encrypted Client hello?
I am trying to perform TLS interception in which I was given 2 containers: Host01 and Attacker with a br-intercept bridge. So every HTTP/HTTPS request from Host01 to the Internet passes through the Attacker. I could forward HTTP/HTTPS traf… Continue reading TLS Interception basics [closed]