#servercertificates — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #servercertificates, aggregated by home.social.
-
@jscalzi : please stop using a http links if websites support https.
By specifying https://vote.org (or https://vote.org/ which gives the same result) in a link, or by typing https://vote.org in the address bar of your browser, there are three possibilities:
1) the browser connects to the _real_ vote.org website;
2) the browser displays a certificate error (never continue in such a case);
3) extemely unlikely (see [1]): the browser connects to a fake website that managed to obtain a valid certificate for the vote.org domain name.
(Note: I used the Unicode '/' character instead of the regular slash char '/' to prevent Mastodon from hiding the protocol).
By default, _none_ of the popular web browsers prevents active (i.e. not passive) criminals from successfully conducting Man-in-the-Middle attacks - if the first connection-attempt uses http.
Most browsers _may_ TRY https first, but an attacker can block that request, forcing the browser to downgrade to http (if the user explicitly requested https, such a downgrade to http will _not_ happen).
Such attacks can be conducted in various ways, such as by using an "evil twin" WiFi access point (https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/) or by manipulating DNS replies to browsers.
Note: the domain "vote.org" is currently _not_ listed in the HSTS preload list (apparently it was removed because of stupidities): https://hstspreload.org/?domain=vote.org (being listed would _force_ browsers to use https, even if "the user" requested http by tapping on such a link).
See also the unnecessarily poor results in https://internet.nl/site/vote.org/2883671/
Unfortunately also @BleepingComputer regularly uses unnecessary http links in their articles.
[1] More info: https://infosec.exchange/@Bitwiper/112779974228111155
#http #https #httpsvshttp#httpvshttps #AitM #MitM #EvilTwin #DNS #DNSAttacks #DV #DomainValidated #DomainValidation #Certificates #TLSCertificates #httpsCertificates #httpsServerCertificates #ServerCertificates #Authentication #Impersonation
-
@jscalzi : please stop using a http links if websites support https.
By specifying https://vote.org (or https://vote.org/ which gives the same result) in a link, or by typing https://vote.org in the address bar of your browser, there are three possibilities:
1) the browser connects to the _real_ vote.org website;
2) the browser displays a certificate error (never continue in such a case);
3) extemely unlikely (see [1]): the browser connects to a fake website that managed to obtain a valid certificate for the vote.org domain name.
(Note: I used the Unicode '/' character instead of the regular slash char '/' to prevent Mastodon from hiding the protocol).
By default, _none_ of the popular web browsers prevents active (i.e. not passive) criminals from successfully conducting Man-in-the-Middle attacks - if the first connection-attempt uses http.
Most browsers _may_ TRY https first, but an attacker can block that request, forcing the browser to downgrade to http (if the user explicitly requested https, such a downgrade to http will _not_ happen).
Such attacks can be conducted in various ways, such as by using an "evil twin" WiFi access point (https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/) or by manipulating DNS replies to browsers.
Note: the domain "vote.org" is currently _not_ listed in the HSTS preload list (apparently it was removed because of stupidities): https://hstspreload.org/?domain=vote.org (being listed would _force_ browsers to use https, even if "the user" requested http by tapping on such a link).
See also the unnecessarily poor results in https://internet.nl/site/vote.org/2883671/
Unfortunately also @BleepingComputer regularly uses unnecessary http links in their articles.
[1] More info: https://infosec.exchange/@Bitwiper/112779974228111155
#http #https #httpsvshttp#httpvshttps #AitM #MitM #EvilTwin #DNS #DNSAttacks #DV #DomainValidated #DomainValidation #Certificates #TLSCertificates #httpsCertificates #httpsServerCertificates #ServerCertificates #Authentication #Impersonation
-
@jscalzi : please stop using a http links if websites support https.
By specifying https://vote.org (or https://vote.org/ which gives the same result) in a link, or by typing https://vote.org in the address bar of your browser, there are three possibilities:
1) the browser connects to the _real_ vote.org website;
2) the browser displays a certificate error (never continue in such a case);
3) extemely unlikely (see [1]): the browser connects to a fake website that managed to obtain a valid certificate for the vote.org domain name.
(Note: I used the Unicode '/' character instead of the regular slash char '/' to prevent Mastodon from hiding the protocol).
By default, _none_ of the popular web browsers prevents active (i.e. not passive) criminals from successfully conducting Man-in-the-Middle attacks - if the first connection-attempt uses http.
Most browsers _may_ TRY https first, but an attacker can block that request, forcing the browser to downgrade to http (if the user explicitly requested https, such a downgrade to http will _not_ happen).
Such attacks can be conducted in various ways, such as by using an "evil twin" WiFi access point (https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/) or by manipulating DNS replies to browsers.
Note: the domain "vote.org" is currently _not_ listed in the HSTS preload list (apparently it was removed because of stupidities): https://hstspreload.org/?domain=vote.org (being listed would _force_ browsers to use https, even if "the user" requested http by tapping on such a link).
See also the unnecessarily poor results in https://internet.nl/site/vote.org/2883671/
Unfortunately also @BleepingComputer regularly uses unnecessary http links in their articles.
[1] More info: https://infosec.exchange/@Bitwiper/112779974228111155
#http #https #httpsvshttp#httpvshttps #AitM #MitM #EvilTwin #DNS #DNSAttacks #DV #DomainValidated #DomainValidation #Certificates #TLSCertificates #httpsCertificates #httpsServerCertificates #ServerCertificates #Authentication #Impersonation