You are reading a single comment by @aggi and its replies. Click here to read the full conversation.
  • Is that a MITM to proxy all SSL traffic?

    Wouldn't work on LFGSS.

    We use HSTS to force SSL, we do certificate pinning, the DNS uses DNSSEC.

    A decade ago that proposal would work, but now you'd find parts of the internet broken and with each day more parts would break. The very thing you propose is in essence what state level surveillance did at times, and also what advertisers try and do... the internet is building defences against this.

    You can capture packets to your hearts content, but it will all be encrypted and your chances of decrypting are low. You can MITM too, but you will break a lot of stuff when the chain of security breakage is detected.

  • Interesting, I thought this happened at my office (using Dell Sonicwall). Lfgss shows up as HTTPS but with a red line through it and the certificate being the firm, not lfgss. Or is that something different?

  • Same thing.

    Cert pinning is currently experimental, so right now so long as a cert is present it will function with perhaps a warning.

About

Avatar for aggi @aggi started