Collaborate Disseminate
For PEAP it’s important to enable the "Verify the server’s identity by validating the certificate" setting in a Windows WiFi profile. Is there any benefit enabling this for EAP TLS? If I understood correctly, EAP TLS itself uses … Continue reading Does EAP TLS benefit from “Verify the server’s identity by validating the certificate” setting
A brief schema of a TLS intercepting proxy – the Client connects to the Host via the Proxy in a way which allows the Proxy to perform a (consensual) MITM.
[Client] -> [Proxy] -> [Host]
It’s my understanding reading references on… Continue reading Does TLS interception necessarily require a self-signed certificate? Please explain why
I am hoping I can leverage everyone’s knowledge on this one as I am at a lose.
I have an Android 10 Device connecting to a containerized web application that is secured by a custom Certificate Authority. The OCSP addresses in the certific… Continue reading Android Certificate Revocation Checking
I already tried googling but no luck. All search results always tell you how to check cert expiration manually, but that is not my question. Yes I can use OpenSSL for example, but what I am asking is how the SSL/TLS protocol does it, not h… Continue reading How does the SSL/TLS protocol determine if a certificate is expired or not?
I want to publish my website as http secure connection but I want to keep it private so only I can view it. I want to prepare and test its security before its official release.
Is there any service providing this kind of thing or can anyon… Continue reading How to publish a php website privately so I can make tests?
I am auditing a webapplication that gives access to a financial backend. The web application provides the frontend in a HTTPS session properly encrypted, and after the client authenticating inside the system, it sends the symmetric key tha… Continue reading Is Symmetric Key Exchange over HTTPS safe?
I download its certificates. To do that, I used the openssl debug output of the command
openssl s_client -connect security.stackexchange.com:443 -servername security.stackexchange.com -showcerts -debug </dev/null 2>&1|tee out
While learning about pentesting most of the time I have used the python3 -m http.server [PORT] command to spin up a temporary http server in order to transfer files to a target system. However as I am progressing and moving beyond the basi… Continue reading How to set up a simple HTTPS server for pentesting [closed]
Is there any way I could inspect the traffic from an untrusted device connected to my network? I would like to get a router that has ssl inspection capabilities, where I could check the https packets sent through it, to check if cheap devi… Continue reading Router level SSL Inspection
In TLS we have such an extension as EMS (extended master secret).
It has been applied to protect the master secret. But I don’t understand how it helps against triple handshake attack.
I assume that attacker can use two master secrets (one… Continue reading Triple handshake (TLS) EMS protection against attacks