263
submitted 9 months ago* (last edited 9 months ago) by suspicious_eye@lemmy.world to c/nostupidquestions@lemmy.world
you are viewing a single comment's thread
view the rest of the comments
[-] tauonite@lemmy.world 27 points 9 months ago

Tell me more about SSL certificate forgery. As far as I know, for a device to trust it, it needs to be signed by a trusted CA. You'd either need to compromise a CA and create your own certificate for the website or make the target device trust a custom CA. In the case of a custom CA, the user explicitly needs to perform an action to trust it. How is this not enough on a public network?

[-] redcalcium@lemmy.institute 5 points 9 months ago* (last edited 9 months ago)

There are cases of malicious/incompetent CAs issuing certificates to parties who don't own the domains. DigiNotar was the most famous one, and recently there was a Chinese CA (I forgot the name) booted from the list as well. Once they're detected (browsers report SSL certs they see back to mothership for audit) they would be removed from trusted lists though, so chance that they're only used for high value targets and can't be used that often.

[-] Nibodhika@lemmy.world -3 points 9 months ago* (last edited 9 months ago)

There are several ways, most common is to MITM the address to redirect to a different but similar one, which is unlikely to get noticed since you know you typed the address correctly or you clicked from a trusted link/favourite, then that wrong address has it's own valid SSL certificate. Another way is to use self-signed certificates, which browsers would warn people about, but apps are not likely to. Also you can MITM the CA themselves, whole you wouldn't be able to actually pass by them you can do an exhaustion attack and essentially block all certificate exchanges, yes your site won't have a valid certificate, but neither will any real site, so most people will just ignore the message the browser is showing them because it's showing it for every site.

None of these methods would fool an attentive educated person, but they might fool someone in a rush. Also even if the attack doesn't succeed in stealing information it 100% succeeds in blocking access, while I might not be as concerned about blocking my Facebook, blocking my bank might prevent me from doing important stuff, and worse people who need to get into their bank are likely to just wave security warnings out of the way without reading them, especially if they've been getting them for everything else and nothing had a problem.

Edit: I also forgot to mention the other ways, there are leaks from CAs constantly, which allow you to either impersonate them or sign other certificates. Sure these get patched rather quickly once found, but after you have the signed certificate from them it's game over. Also what I was referring in the other post is self-signed certificates, most browsers show a warning about them nowadays, but again you can win by exhaustion.

[-] emptiestplace@lemmy.ml 5 points 8 months ago

You went from "MITM TLS is child's play" to "there are some ways we can social engineer our way around it if the stars align just right" in like one post. You're clearly not qualified here, stop with the FUD bullshit.

this post was submitted on 25 Feb 2024
263 points (88.6% liked)

No Stupid Questions

35868 readers
298 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago
MODERATORS