Check if your company/ISP is intercepting your HTTPS traffic

CreepingDeath

Hi,

Steve Gibson is a well known security expert who is the brains in the excellent "Security Now" podcast.

He knocked up a web utility to help you detect whether your company might be intercepting your HTTPS traffic with a man-in-the-middle attack.

( installing the own root certificates, so they can create fake facebook/gmail etc certs )

GRC Fingerprints link

Basically he lists the HTTPS cert fingerprints of known websites, eg. Facebook.

www.facebook.com	*.facebook.com	F5:6B:F2:44:63:B0:BD:61:36:C5:E8:72:34:6B:32:04:28:FF:4D:7C

But you can put in your own website and he'll get the cert that his unintercepted site sees, eg.

www.boards.ie *.boards.ie	C7:13:71:7A:A1:0B:CE:37:B1:77:46:FE:27:F1:58:A0:76:28:8D:42

So then you go to https://www.boards.ie, view the cert in your browser and compare the fingerprints of the cert that YOU see, eg. in this case the SHA1 fingerprint matches, so I know that my company isn't intercepting the HTTPS traffic to boards.

regards,
CD

Khannie

Nice one. Some security companies do offer that trusted man in the middle as a service.

BaconZombie

Wait... When did Boards start using HTTPS?

CreepingDeath wrote: »

Hi,

Steve Gibson is a well known security expert who is the brains in the excellent "Security Now" podcast.

He knocked up a web utility to help you detect whether your company might be intercepting your HTTPS traffic with a man-in-the-middle attack.

( installing the own root certificates, so they can create fake facebook/gmail etc certs )

GRC Fingerprints link

Basically he lists the HTTPS cert fingerprints of known websites, eg. Facebook.

www.facebook.com	*.facebook.com	F5:6B:F2:44:63:B0:BD:61:36:C5:E8:72:34:6B:32:04:28:FF:4D:7C

But you can put in your own website and he'll get the cert that his unintercepted site sees, eg.

www.boards.ie *.boards.ie	C7:13:71:7A:A1:0B:CE:37:B1:77:46:FE:27:F1:58:A0:76:28:8D:42

So then you go to https://www.boards.ie, view the cert in your browser and compare the fingerprints of the cert that YOU see, eg. in this case the SHA1 fingerprint matches, so I know that my company isn't intercepting the HTTPS traffic to boards.

regards,
CD

Capt'n Midnight

BaconZombie wrote: »

Wait... When did Boards start using HTTPS?

https://www.eff.org/https-everywhere does what it says on the tin.


is OCSP still vulnerable to man in the middle attacks / is there another reliable way of verifying certs automatically ?

Khannie

Capt'n Midnight wrote: »

https://www.eff.org/https-everywhere

Nice.

Capt'n Midnight

https everywhere also has options for the EFF SSL Observatory https://www.eff.org/observatory

CreepingDeath

Capt'n Midnight wrote: »

https everywhere also has options for the EFF SSL Observatory https://www.eff.org/observatory

Interesting, I've just enabled that.
I had been using Https everywhere for boards as a matter of routine.

h57xiucj2z946q

BaconZombie wrote: »

Wait... When did Boards start using HTTPS?

I'm not sure if they want us to be using SSL just yet. They will keep re-directing you back you normal HTTP.

[-0-]

Owen Careful Rash wrote: »

I'm not sure if they want us to be using SSL just yet. They will keep re-directing you back you normal HTTP.

Yeah when I use https on boards the pages don't render properly.