Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all! We have been experiencing an issue on site where threads have been missing the latest postings. The platform host Vanilla are working on this issue. A workaround that has been used by some is to navigate back from 1 to 10+ pages to re-sync the thread and this will then show the latest posts. Thanks, Mike.
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Check if your company/ISP is intercepting your HTTPS traffic

  • 10-04-2013 5:42pm
    #1
    CreepingDeath
    Closed Accounts Posts: 8,015 ✭✭✭


    Hi,

    Steve Gibson is a well known security expert who is the brains in the excellent "Security Now" podcast.

    He knocked up a web utility to help you detect whether your company might be intercepting your HTTPS traffic with a man-in-the-middle attack.

    ( installing the own root certificates, so they can create fake facebook/gmail etc certs )

    GRC Fingerprints link

    Basically he lists the HTTPS cert fingerprints of known websites, eg. Facebook.
    www.facebook.com	*.facebook.com	F5:6B:F2:44:63:B0:BD:61:36:C5:E8:72:34:6B:32:04:28:FF:4D:7C

    But you can put in your own website and he'll get the cert that his unintercepted site sees, eg.
    www.boards.ie *.boards.ie	C7:13:71:7A:A1:0B:CE:37:B1:77:46:FE:27:F1:58:A0:76:28:8D:42

    So then you go to https://www.boards.ie, view the cert in your browser and compare the fingerprints of the cert that YOU see, eg. in this case the SHA1 fingerprint matches, so I know that my company isn't intercepting the HTTPS traffic to boards.

    regards,
    CD
    Tagged:


Comments

  • #2
    Khannie
    Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Nice one. Some security companies do offer that trusted man in the middle as a service.


  • #3
    BaconZombie
    Registered Users, Registered Users 2 Posts: 8,813 ✭✭✭BaconZombie


    Wait... When did Boards start using HTTPS?
    CreepingDeath wrote: »
    Hi,

    Steve Gibson is a well known security expert who is the brains in the excellent "Security Now" podcast.

    He knocked up a web utility to help you detect whether your company might be intercepting your HTTPS traffic with a man-in-the-middle attack.

    ( installing the own root certificates, so they can create fake facebook/gmail etc certs )

    GRC Fingerprints link

    Basically he lists the HTTPS cert fingerprints of known websites, eg. Facebook.
    www.facebook.com	*.facebook.com	F5:6B:F2:44:63:B0:BD:61:36:C5:E8:72:34:6B:32:04:28:FF:4D:7C

    But you can put in your own website and he'll get the cert that his unintercepted site sees, eg.
    www.boards.ie *.boards.ie	C7:13:71:7A:A1:0B:CE:37:B1:77:46:FE:27:F1:58:A0:76:28:8D:42

    So then you go to https://www.boards.ie, view the cert in your browser and compare the fingerprints of the cert that YOU see, eg. in this case the SHA1 fingerprint matches, so I know that my company isn't intercepting the HTTPS traffic to boards.

    regards,
    CD


  • #4
    Capt'n Midnight
    Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 92,470 Mod ✭✭✭✭Capt'n Midnight


    BaconZombie wrote: »
    Wait... When did Boards start using HTTPS?
    https://www.eff.org/https-everywhere does what it says on the tin.


    is OCSP still vulnerable to man in the middle attacks / is there another reliable way of verifying certs automatically ?


  • #5
    Khannie
    Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Capt'n Midnight wrote: »
    https://www.eff.org/https-everywhere

    Nice.


  • #6
    Capt'n Midnight
    Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 92,470 Mod ✭✭✭✭Capt'n Midnight


    https everywhere also has options for the EFF SSL Observatory https://www.eff.org/observatory


  • Advertisement
  • #7
    CreepingDeath
    Closed Accounts Posts: 8,015 ✭✭✭CreepingDeath


    Capt'n Midnight wrote: »
    https everywhere also has options for the EFF SSL Observatory https://www.eff.org/observatory

    Interesting, I've just enabled that.
    I had been using Https everywhere for boards as a matter of routine.


  • #8
    h57xiucj2z946q
    Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    BaconZombie wrote: »
    Wait... When did Boards start using HTTPS?

    I'm not sure if they want us to be using SSL just yet. They will keep re-directing you back you normal HTTP.


    el1dKhX.png


  • #9
    [-0-]
    Closed Accounts Posts: 3,981 ✭✭✭[-0-]


    Owen Careful Rash wrote: »
    I'm not sure if they want us to be using SSL just yet. They will keep re-directing you back you normal HTTP.


    el1dKhX.png

    Yeah when I use https on boards the pages don't render properly.


Advertisement