home.social

#httpsvshttp — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #httpsvshttp, aggregated by home.social.

  1. 1) security.nl
    2) http:⧸⧸gw.defensie.nl
    3) https:⧸⧸gemeente.amsterdam

    Nb. in 2 en 3 heb ik ⧸⧸ i.p.v. // gebruikt om te voorkómen dat Mastodon er resp.
    gw.defensie.nl
    en
    gemeente.amsterdam
    van maakt (m.i. zou Mastodon OP Z'N MINST "http://" in link 2 moeten laten zien).

    Zie security.nl/posting/904650/sec.

    #httpVShttps #AitM #QRcodes #EvilTwin #PublicWifi #InfoSec #httpsVShttp #E2EE #Tunnel #TLS #SSL

  2. 1) security.nl
    2) http:⧸⧸gw.defensie.nl
    3) https:⧸⧸gemeente.amsterdam

    Nb. in 2 en 3 heb ik ⧸⧸ i.p.v. // gebruikt om te voorkómen dat Mastodon er resp.
    gw.defensie.nl
    en
    gemeente.amsterdam
    van maakt (m.i. zou Mastodon OP Z'N MINST "http://" in link 2 moeten laten zien).

    Zie security.nl/posting/904650/sec.

    #httpVShttps #AitM #QRcodes #EvilTwin #PublicWifi #InfoSec #httpsVShttp #E2EE #Tunnel #TLS #SSL

  3. @jscalzi : please stop using a http links if websites support https.

    By specifying vote.org (or vote.org/ which gives the same result) in a link, or by typing vote.org in the address bar of your browser, there are three possibilities:

    1) the browser connects to the _real_ vote.org website;

    2) the browser displays a certificate error (never continue in such a case);

    3) extemely unlikely (see [1]): the browser connects to a fake website that managed to obtain a valid certificate for the vote.org domain name.

    (Note: I used the Unicode '/' character instead of the regular slash char '/' to prevent Mastodon from hiding the protocol).

    By default, _none_ of the popular web browsers prevents active (i.e. not passive) criminals from successfully conducting Man-in-the-Middle attacks - if the first connection-attempt uses http.

    Most browsers _may_ TRY https first, but an attacker can block that request, forcing the browser to downgrade to http (if the user explicitly requested https, such a downgrade to http will _not_ happen).

    Such attacks can be conducted in various ways, such as by using an "evil twin" WiFi access point (bleepingcomputer.com/news/secu) or by manipulating DNS replies to browsers.

    Note: the domain "vote.org" is currently _not_ listed in the HSTS preload list (apparently it was removed because of stupidities): hstspreload.org/?domain=vote.o (being listed would _force_ browsers to use https, even if "the user" requested http by tapping on such a link).

    See also the unnecessarily poor results in internet.nl/site/vote.org/2883

    Unfortunately also @BleepingComputer regularly uses unnecessary http links in their articles.

    [1] More info: infosec.exchange/@Bitwiper/112

    @adamshostack

    #http #https #httpsvshttp#httpvshttps #AitM #MitM #EvilTwin #DNS #DNSAttacks #DV #DomainValidated #DomainValidation #Certificates #TLSCertificates #httpsCertificates #httpsServerCertificates #ServerCertificates #Authentication #Impersonation

  4. @jscalzi : please stop using a http links if websites support https.

    By specifying vote.org (or vote.org/ which gives the same result) in a link, or by typing vote.org in the address bar of your browser, there are three possibilities:

    1) the browser connects to the _real_ vote.org website;

    2) the browser displays a certificate error (never continue in such a case);

    3) extemely unlikely (see [1]): the browser connects to a fake website that managed to obtain a valid certificate for the vote.org domain name.

    (Note: I used the Unicode '/' character instead of the regular slash char '/' to prevent Mastodon from hiding the protocol).

    By default, _none_ of the popular web browsers prevents active (i.e. not passive) criminals from successfully conducting Man-in-the-Middle attacks - if the first connection-attempt uses http.

    Most browsers _may_ TRY https first, but an attacker can block that request, forcing the browser to downgrade to http (if the user explicitly requested https, such a downgrade to http will _not_ happen).

    Such attacks can be conducted in various ways, such as by using an "evil twin" WiFi access point (bleepingcomputer.com/news/secu) or by manipulating DNS replies to browsers.

    Note: the domain "vote.org" is currently _not_ listed in the HSTS preload list (apparently it was removed because of stupidities): hstspreload.org/?domain=vote.o (being listed would _force_ browsers to use https, even if "the user" requested http by tapping on such a link).

    See also the unnecessarily poor results in internet.nl/site/vote.org/2883

    Unfortunately also @BleepingComputer regularly uses unnecessary http links in their articles.

    [1] More info: infosec.exchange/@Bitwiper/112

    @adamshostack

    #http #https #httpsvshttp#httpvshttps #AitM #MitM #EvilTwin #DNS #DNSAttacks #DV #DomainValidated #DomainValidation #Certificates #TLSCertificates #httpsCertificates #httpsServerCertificates #ServerCertificates #Authentication #Impersonation

  5. @jscalzi : please stop using a http links if websites support https.

    By specifying vote.org (or vote.org/ which gives the same result) in a link, or by typing vote.org in the address bar of your browser, there are three possibilities:

    1) the browser connects to the _real_ vote.org website;

    2) the browser displays a certificate error (never continue in such a case);

    3) extemely unlikely (see [1]): the browser connects to a fake website that managed to obtain a valid certificate for the vote.org domain name.

    (Note: I used the Unicode '/' character instead of the regular slash char '/' to prevent Mastodon from hiding the protocol).

    By default, _none_ of the popular web browsers prevents active (i.e. not passive) criminals from successfully conducting Man-in-the-Middle attacks - if the first connection-attempt uses http.

    Most browsers _may_ TRY https first, but an attacker can block that request, forcing the browser to downgrade to http (if the user explicitly requested https, such a downgrade to http will _not_ happen).

    Such attacks can be conducted in various ways, such as by using an "evil twin" WiFi access point (bleepingcomputer.com/news/secu) or by manipulating DNS replies to browsers.

    Note: the domain "vote.org" is currently _not_ listed in the HSTS preload list (apparently it was removed because of stupidities): hstspreload.org/?domain=vote.o (being listed would _force_ browsers to use https, even if "the user" requested http by tapping on such a link).

    See also the unnecessarily poor results in internet.nl/site/vote.org/2883

    Unfortunately also @BleepingComputer regularly uses unnecessary http links in their articles.

    [1] More info: infosec.exchange/@Bitwiper/112

    @adamshostack

    #http #https #httpsvshttp#httpvshttps #AitM #MitM #EvilTwin #DNS #DNSAttacks #DV #DomainValidated #DomainValidation #Certificates #TLSCertificates #httpsCertificates #httpsServerCertificates #ServerCertificates #Authentication #Impersonation