Collaborate Disseminate
I am trying to see HTTPS traffic in wireshark from my local machine to public sites, just to see how the TLS handshake is made.
Why can’t I see the traffic as HTTP2 in filters and only able to see TLS traffic to port 443 and back to my ma… Continue reading Why Can’t I See Server Certificates in TLS Handshake Public Websites [closed]
Fascinating story of a covert wiretap that was discovered because of an expired TLS certificate:
The suspected man-in-the-middle attack was identified when the administrator of jabber.ru, the largest Russian XMPP service, received a notification that one of the servers’ certificates had expired.
However, jabber.ru found no expired certificates on the server, as explained in a blog post by ValdikSS, a pseudonymous anti-censorship researcher based in Russia who collaborated on the investigation.
The expired certificate was instead discovered on a single port being used by the service to establish an encrypted Transport Layer Security (TLS) connection with users. Before it had expired, it would have allowed someone to decrypt the traffic being exchanged over the service…
Continue reading Messaging Service Wiretap Discovered through Expired TLS Cert
I Have a confusion here.
From what I know, in TLS1.2, the Client sends Client Hello and then the Server Sends a Server Hello, Certificate(with its public key) and Certificate chain, and then a Server Hello Done.
Then, the Client sends a Cl… Continue reading TLS session keys [duplicate]
If this is possible, what is stopping a malicious file from adding an entry to \etc\hosts that points example.com to a phishing clone of a website?
Usually, the browser warns you that the common name on the certs does not match up, but if … Continue reading Is it possible to get an SSL certificate with a Subject Alternate Name of a different website?
I was looking at the LXI Device Specification 2022 Version 1.6. For those not familiar with LXI, it is a standard for lab instruments like oscilloscopes, function generators, LCR meters and many more which have ethernet ports. You can con… Continue reading How can one use HTTPS without a domain name, or on a local network?
I made a silly mistake doxxing and stalking someone online. He filed a police case(FIR) against me. I have consulted with many tech people from my country and they say I’m safe because the site, www.reddit.com where I doxxed and stalked t… Continue reading How can authorities find my IP address if the website I browse doesn’t provide the information?
I’m trying to understand the goal of a digital signature in PKI/TLS. I understand that digital signature provide us Data integrity, Authentication and Non-repudiation.
But, why is it necessary to use digital signatures in secure communicat… Continue reading Is a digital signature really needed?
The URL is https://bank.discover.com/bankac/loginreg/submitloginassist, so I would expect the certificate to be for bank.discover.com or *.discover.com or something similar.
Instead I found a certificate for www.discoverbank.com. Is this v… Continue reading Is this certificate valid? [closed]
I will be deploying IOT devices in a consumer’s network that authenticate with a web based API using mTLS. Is it safe to embed the certificate and private key in the IOT applications binary at compile time and distribute it like this? If t… Continue reading Is it safe to embed mTLS certificate and private key in IOT device’s executable?
For example, let’s say my backend address is api.xyz.com, and I have a mobile application. This application sends requests to api.xyz.com. The application employs SSL pinning, where it pins the certificate it easily obtained from api.xyz.c… Continue reading How can I enhance the security of SSL pinning in my mobile app to prevent certificate exposure?