#1

Hi,

Steve Gibson is a well known security expert who is the brains in the excellent "Security Now" podcast.

He knocked up a web utility to help you detect whether your company might be intercepting your HTTPS traffic with a man-in-the-middle attack.

( installing the own root certificates, so they can create fake facebook/gmail etc certs )

GRC Fingerprints link

Basically he lists the HTTPS cert fingerprints of known websites, eg. Facebook.

www.facebook.com	*.facebook.com	F5:6B:F2:44:63:B0:BD:61:36:C5:E8:72:34:6B:32:04:28:FF:4D:7C


But you can put in your own website and he'll get the cert that his unintercepted site sees, eg.

www.boards.ie *.boards.ie	C7:13:71:7A:A1:0B:CE:37:B1:77:46:FE:27:F1:58:A0:76:28:8D:42


So then you go to https://www.boards.ie, view the cert in your browser and compare the fingerprints of the cert that YOU see, eg. in this case the SHA1 fingerprint matches, so I know that my company isn't intercepting the HTTPS traffic to boards.

regards,
CD

7 people have thanked this post
Khannie Make your dreams happen
#2

Nice one. Some security companies do offer that trusted man in the middle as a service.

BaconZombie Registered User
#3

Wait... When did Boards start using HTTPS?

CreepingDeath said:
Hi,

Steve Gibson is a well known security expert who is the brains in the excellent "Security Now" podcast.

He knocked up a web utility to help you detect whether your company might be intercepting your HTTPS traffic with a man-in-the-middle attack.

( installing the own root certificates, so they can create fake facebook/gmail etc certs )

GRC Fingerprints link

Basically he lists the HTTPS cert fingerprints of known websites, eg. Facebook.

www.facebook.com	*.facebook.com	F5:6B:F2:44:63:B0:BD:61:36:C5:E8:72:34:6B:32:04:28:FF:4D:7C


But you can put in your own website and he'll get the cert that his unintercepted site sees, eg.

www.boards.ie *.boards.ie	C7:13:71:7A:A1:0B:CE:37:B1:77:46:FE:27:F1:58:A0:76:28:8D:42


So then you go to https://www.boards.ie, view the cert in your browser and compare the fingerprints of the cert that YOU see, eg. in this case the SHA1 fingerprint matches, so I know that my company isn't intercepting the HTTPS traffic to boards.

regards,
CD

#4

BaconZombie said:
Wait... When did Boards start using HTTPS?
https://www.eff.org/https-everywhere does what it says on the tin.


is OCSP still vulnerable to man in the middle attacks / is there another reliable way of verifying certs automatically ?

1 person has thanked this post
Khannie Make your dreams happen
#5
#6

https everywhere also has options for the EFF SSL Observatory https://www.eff.org/observatory

1 person has thanked this post
#7

Capt' said:
https everywhere also has options for the EFF SSL Observatory https://www.eff.org/observatory


Interesting, I've just enabled that.
I had been using Https everywhere for boards as a matter of routine.

Damo2k Registered User
#8

BaconZombie said:
Wait... When did Boards start using HTTPS?


I'm not sure if they want us to be using SSL just yet. They will keep re-directing you back you normal HTTP.


#9

Damo2k said:
I'm not sure if they want us to be using SSL just yet. They will keep re-directing you back you normal HTTP.




Yeah when I use https on boards the pages don't render properly.

Want to share your thoughts?

Login here to discuss!