IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [tls-intercept]

173 questions
5
votes
0 answers

How does TLS 1.3 break inspection?

The latest research seems to indicate that TLS 1.3 completely breaks the MITM/proxy model of many current security tools. I don't fully understand how it does that and if there are ways around this. Are SSL/TLS proxy vendors going to face…
RussM
  • 51
  • 1
  • 2
5
votes
1 answer

Client requiring our SSL Private Key to configure the Load Balancer that reaches our server. Makes sense?

I'm facing an unusual situation, I hope you can clarify this for me. We manage some applications that are accessible through HTTPS requests on port 443 of our server X. We have a new client that is also supposed to reach us through our 443 port on…
vinicius.olifer
  • 53
  • 3
5
votes
3 answers

Is implementing an SSL proxy server considered a good practice?

There are many questions on this site from users finding out that their employer has a certificate proxy in place, essentially implementing a man-in-the-middle attack so that all traffic is able to be decrypted. I've been told from our security…
Nacht
  • 925
  • 1
  • 6
  • 12
5
votes
3 answers

Is it acceptable for an employer to install a self-signed root certificate on employees personal devices at home?

At work, my employer uses a self-signed root certificate to MITM all of our SSL/TLS traffic. Many of our internal certificates used by various micro-services and internal websites are also signed by this certificate. I have no real issue with this…
0xDEAD_BEEF
  • 53
  • 1
  • 5
5
votes
1 answer

Can I use CloudFlare if I want to avoid NSA and FISA secret orders?

We're running a web service in Europe, secured with TLS and we're using private keys generated on our private hardware. We would like to use CloudFlare for DDoS protection and caching reverse proxy. However, putting my tinfoil hat on, I'm wondering…
Mikko Rantalainen
  • 513
  • 2
  • 11
5
votes
1 answer

Disable or bypass SSL Pinning/Certificate Pinning on Android 6.0.1

Previously I have been able to bypass SSL Pinning by using the program JustTrustMe with the Xposed framework for nearly every app. https://github.com/Fuzion24/JustTrustMe However it has started to fail on more and more apps recently. The more I…
Ogglas
  • 677
  • 4
  • 12
  • 26
4
votes
1 answer

How can police get someone's search history?

Sometimes I see news articles saying that someone was suspected of a crime so the police got their search history and found various google search terms etc. What are the possible ways they can do that? I understand that if they get physical access…
user176396
4
votes
1 answer

How come I can see a full HTTPS requests via Fiddler?

I am testing a C# web API hosted on a remote server, and I am monitoring HTTPS traffic using Fiddler. What confuses me is that via Fiddler I can see all of the POST payload, headers and host URL addresses for both the request and the response.…
mko
  • 179
  • 1
  • 6
4
votes
2 answers

Preventing a Burp and Intercept

I have created an authentication API to manage user sessions and the works. To log a user in, the user send their credentials to my API endpoint and it returns “true” or “false” based on their login. I recently received an issue report stating that…
shane
  • 43
  • 4
4
votes
1 answer

Is it secure to rely on websocket connection?

In a client-server communication scenario over secure websocket, client is authorized securely and from there on, I have two choices: Assign a unique random ID (session) and check that on subsequent communications. rely on socket connectivity and…
Xaqron
  • 306
  • 1
  • 10
4
votes
2 answers

Certificate Pinning vs E2E Encryption

I see that there are some APIs which exchange some sort public keys to secure the content of https connection using asymmetric encryption. Is there any added benefit to this? As far as I know, it should be impossible to man in the middle a tls…
Rowanto
  • 121
  • 3
4
votes
1 answer

Is filtering flash based on the mimetype enough to keep it out?

As flash is a real security mess I started blacklisting flash at our proxy by blocking any content with the mime type application/x-shockwave-flash which works pretty well as far as I can tell. The proxy does SSL interception so it covers both http…
davidb
  • 4,285
  • 3
  • 19
  • 31
4
votes
3 answers

Is SSL Interception possible without disabling Public Key Pinning on the client side?

I'm currently setting up a pfSense firewall in my lab. It supports SSL Inception which works pretty well for most sites. But there are some sites which use HTTP Public Key Pinning to prevent MitM attacks and this is a real pain because the systems…
davidb
  • 4,285
  • 3
  • 19
  • 31
3
votes
1 answer

x509 certificates are still exposed even with Encrypted Client hello?

Encrypted Client Hello hides Server Name Indication (SNI). However, looking at the TLS Handshake (https://tls12.ulfheim.net/). Wouldn't it be possible for a middle-man to inspect the TLS Handshake and sniff ServerHello to see the x509 certificate…
Hmmm
  • 131
  • 2
3
votes
3 answers

Are TLS v1.3 connections over open Wi-Fi secure?

If a non-compromised device is connected to the internet via open Wi-Fi, anyone can view the traffic. But if all the connections to the servers use a reasonably secure cryptographic protocol (such as a recent version of TLS), is the communication…
RockPaperLz- Mask it or Casket
  • 3,114
  • 21
  • 50
1
2
3
11 12