Collaborate Disseminate
Doesn’t it make any difference if the sites we visit are not the standard ports like 80/443? Say we visit https://example.com:554/is-this-visible-to-isp? since domain is known to the ISP, what about the ports and the paths connected to the… Continue reading Does it make any difference for what an ISP might see if we use a non-standard port for HTTP and HTTPS?
I have managed to decrypt TLS 1.2 data using Wireshark on a connection from the browser to the WCF service, but cannot manage to do the same with the WCF client.
I’m not sure what is the difference, because in both cases the cipher suite s… Continue reading Wireshark decrypt TLS 1.2 from WCF client
A valid certificate cannot guarantee that I’m not being MITM’d right now, as either the private key or CA may have been compromised. For this reason, I have to contact a CA through CRL/OCSP to check if it’s been revoked. Best case, I can h… Continue reading What’s the point of certificates in SSL/TLS?
What would happen if PKI for root CA is insecure? Let’s say that one of the root Certificate Authorities was hacked and nobody noticed it yet.
Are all websites insecure or only those that were signed by this authority? Does it mean that a … Continue reading What would happen if root CA get hacked? [duplicate]
What would happen if PKI for root CA is insecure? Let’s say that one of the root Certificate Authorities was hacked and nobody noticed it yet.
Are all websites insecure or only those that were signed by this authority? Does it mean that a … Continue reading What would happen if root CA get hacked? [duplicate]
I am not an information security expert (just a developer) and recently discovered this kind of vulnerability, and have a few questions (so sorry if I misinterpreted something about how the attack works).
In the product I am developing whe… Continue reading CRIME like attack and locality of randomized data
I was testing the supported cipher suites for an exposed httpd service.
On the server, the cipher suites are defined in the httpd properties file ( httpd.sslCipherSuite=….)
When I run testssl from my Kali machine, I get a list of cipher … Continue reading testssl not detecting all cipher suites
If an attacker wants to create a phishing website with a fake TLS certificate, to my noob mind, there is a way to do this:
Create the fake website certificate
Create the hash for this certificate
Take a valid root PKI certificate with the… Continue reading Brute force copy of PKI root certificates
I know TLS normally uses a x.509 certificate. But is it possible to use a non-x.509 cert to do TLS if both the server and client understand the format of that certificates?
Continue reading Can we use a custom non-x.509 cert for TLS?
There have been reports of attacks against certificate authorities resulting in the issuance of fraudulent TLS certificates for sites such as google.com, yahoo.com, and skype.com. These attacks seem to be a thing of the past though, and I … Continue reading What prevents certificate authorities from issuing fraudulent TLS certificates?