New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
No, I am saying that there have been MITM attacks with ssl and that there is plenty evidence, in part even of the perpetrators themselves.
And I'm saying that one doesn't need 0-days to do that. openssl and even the protocol itself is a rich source of attack vectors. One example is the '\0' bug that allowed fake certs for arbitrary entities (boiling down to CA's verifying in domain order (reverse) but clients (using openssl et al) check in 0..n order (forward) till '\0' which led to e.g. 'google.com\0blabla.it' being considered OK by the CA (as blabla.it was indeed owned by requester) but OK for google.com by client (who only saw 'google.com\0'))
And I'm saying that there are many other problem with CAs - for which we have evidence.
I can see what im doing on my vps
I wish, then all my hosting would be free.
"You know, HeartBleed can't even be considered the worst OpenSSL bug..."
No need for 0-days. BlueCoat is a commercially-available DPI proxy that intercepts HTTPS and is used by ISPs, schools, and some governments to monitor their network. It captures certificate requests and MITM's itself in between.
Sources:
http://surveillance.rsf.org/en/blue-coat-2/
http://bluecoat.force.com/knowledgebase/articles/Solution/Intercepting-SSL-traffic-based-on-authentication-credentials
They had a recent issue with TLS 1.3 changes in the Chromium browser: https://bugs.chromium.org/p/chromium/issues/detail?id=694593
You still need to have the BlueCoat certificate installed as trusted on all clients (schools and governments can and do ensure this via group policies in Windows), else this will show a broken cert error instead of the website. Nope, no magic miracle MITM devices for SSL.
Excellent point. I am not sure why @rincewind did not state this in his comment as that is quite a crucial fact and if left out, the claim is misleading.
For any decent provider I can see no reason to access customer data on VPS, different matter if police has a court order and required data for investigation purpose