Collaborate Disseminate
I have a question which came to my mind regarding ssl security. Ssl encrypts data with a public key and decrypts with a private key.
So in the figure
client->public key to private key-> server
Does also the server uses the same publi… Continue reading Https injecting javascript, steal crtificate
In below ssl diagram :
I have one doubt with 1-way ssl. If there is an interceptor in-between client and server who can alter in following way :
In step 8, when client is sending his symetric key to server, encrypted by server’s public k… Continue reading authenication of client in one way ssl [duplicate]
I have a Sophos XG firewall. I use it at home (to play around with) This firewall is capable to scan HTTPS traffic.
It decrypts the traffic and re-encrypts the traffic again. For the re-encryption of the traffic the firewall uses his own c… Continue reading Why does a firewall reencrypt https traffic
Assuming I have the master secret from SSLKEYLOGFILE client random, and server random, can I decrypt any tls traffic captured? I’ve started from Golang’s TLS implementation, pulled the connection stuff out, had it generate the keys and iv … Continue reading Manual TLS decryption with master secret
Can you do anything other than patching apps’ compiled-code/cert-files (which is app-specific, requires manual analysis and patching + super-user/root) to intercept TLS traffic of apps that use certificate pinning?
The answer seems to be … Continue reading Is there no way to bypass certificate pinning without patching apps?
Let’s assume Alice is an employee of the Chuck company.
Alice likes to communicate with Bob, a server somewhere in the internet.
Chuck, being a security orientated company, inspects all TLS connections from its devices by decrypting the t… Continue reading How can one detect and mainly bypass TLS inspection as a user with an enterprise managed device?
I downloaded two different third-party apps (running on Windows) in order to figure what HTTP calls does it make to an external server on the internet.
Both apps are calling the same server as far as I have guessed.
I installed Charles … Continue reading Force third party app to trust Charles Root Certificate
Everything earlier used to work fine. However, recently I downloaded a newer virtual device on Genymotion, which is an Android 8.0 API 26. I have been struggling to get HTTPS traffic intercepted on this device. Some digging suggested that … Continue reading BURP SSL connection failing on Genymotion Virtual Device – Android 8.0 API 26
I was reading RFC8446-TLS13 and a tls visualization and could not grasp some concepts.
I have all the tls connection data (client hello etc.) and SSL Logs (server_traffic_handshake_secret)
I see that authentication message is all handsha… Continue reading Authentication Message in TLS
I have the followin scenario and looking for a secure solution.
There is a web application, hosted on IIS. The connection is established over TLS 1.2 and is encrypted.
So the steps are
Client connects to the server over ssl
Client send… Continue reading How to mitigate credential disclosure in man in the middle attack