disabling HSTS
disabling HSTS
Posted Apr 24, 2017 15:46 UTC (Mon) by gerv (guest, #3376)In reply to: disabling HSTS by linuxrocks123
Parent article: Tor exit node operator arrested in Russia (TorServers.net blog)
Also, did you know that when you override a cert error, you allow that cert for any SAN in it, not just the one you are connecting to? So if that cert is for www.securityblog.example.com and also www.paypal.com, you just allowed them to MITM you for paypal.com. This is more of a risk for self-signed than for expired, but I bet you didn't know it, nevertheless.
Overriding SSL cert errors, particularly with the permanent flag checked, is a _bad_ idea.
Posted Apr 24, 2017 21:43 UTC (Mon)
by nix (subscriber, #2304)
[Link] (2 responses)
Posted Apr 24, 2017 22:38 UTC (Mon)
by nybble41 (subscriber, #55106)
[Link]
The router may be able to change any of the traffic passing through it, but that does not imply that it can present itself as an arbitrary properly authenticated HTTPS site... unless you accept its self-signed certificate without first checking that the certificate is limited to the router's admin domain. TLS is specifically designed to thwart MiTM attackers with exactly that ability to intercept and modify any of the participants' traffic.
Posted Apr 29, 2017 19:32 UTC (Sat)
by flussence (guest, #85566)
[Link]
disabling HSTS
disabling HSTS
disabling HSTS