Collaborate Disseminate
I have a WAF solution that can work both inline and out-of-band. And we want to try the OOB option first. And possibly want to see HTTPS traffic as well.
But the vendor says if we want to see the HTTPS traffic, we should implement the solu… Continue reading Is it possible to see HTTPS traffic without intercepting? (With a copy of the traffic) [duplicate]
I have a reported finding saying that hostname verification is disabled.
This can be deduced from this line of code:
final HttpClientBuilder httpClientBuilder = HttpClientBuilder.create();
httpClientBuilder.setSSLContext(sslContext).se… Continue reading How to verify hostname of certificate? and Is it mandatory if client knows the certificate?
According to PAN-OS documentation for "Traceability and Control of Post-Quantum Cryptography",
Traffic encrypted by PQC [post-quantum computing] or hybrid PQC algorithms cannot be decrypted yet, making these algorithms vulnerabl… Continue reading How can you protect against a man-in-the-middle forging a TLS Client Hello that offers insecure algorithms?
We’re doing a PoC on a new API Security/WAF tool, and we’re planning to place this solution out-of-ban rather than inline. So traffic wont go through the solution and we’ll send the mirrored traffic to analyze in the new solution.
My quest… Continue reading Can API Security/WAF tools decrypt "mirrored" traffic?
I have this line of code in a client server project:
sslContext.init(null, new TrustManager[]{new TrustAnyManager()}, null);
A security guy pointed out that this is skipping the validation of the certificate, but I don’t understand the se… Continue reading What is the security impact of disabling certificate check [duplicate]
Authentication alone will not stop a MITHM from intercepting and modifying plaintext exchanges, since he can let the authentication occur, then begin modifying the exchange data and neither end will sense anything wrong.
What am I missing … Continue reading In TLS, how are the Diffie-Hellman exchange parameters protected from a MITM attack? [duplicate]
I was playing with httpbin.org to test a client and discovered that some sites will get an header I did not set (X-Amzn-Trace-Id). If I do a curl https://httpbin.org/headers (which will respond with the requested headers), I see the respon… Continue reading How can Amazon add its own headers when I make HTTPS requests to a web application?
I downloaded an application, based on electron. I then decompiled the app.asar file. And I found two strange files: "server.cert" and "server.key".
The private RSA key corresponds to the certificate.
I was wondering wha… Continue reading Why does this application include a private RSA key?
I have an IIS server hosting a website. We have an SSL certificate for the primary WAN connection which is working. When we lose the primary internet connection, users need to securely connect using the backup connection. Is it possible… Continue reading Mutliple WAN connections, same server, ssl certificates [migrated]
Why data exchange between two web applications using redirection with query parameters or auto-form-post CANNOT be trusted by each web application, even when using HTTPS?
Note:
I understand that data exchange using query parameters has inh… Continue reading Why data exchange between 2 web apps using redirection with query parameters or auto-form-post CANNOT be trusted by each other, even when using HTTPS?