tl;dr: I made a Chrome Extension that finds security vulnerabilities.It’s now available for Firefox too! To secure web connections, TLS-enabling servers is only half the battle; the other half is ensuring that TLS is used everywhere. Unfortunately, many HTTPS sites today include insecure references that provide an network-based attacker the opportunity to break into theContinue reading “Seek and Destroy Non-Secure References Using the moarTLS Analyzer”
Tag Archives: https
Using HTTPS Properly
Disclaimer: I’m a big fan of Pandora. I’ve been a listener for a decade or more, and I started paying for an annual subscription even before there was any real incentive to do so, solely because I loved the service and wanted it to succeed. This post isn’t really about Pandora, per-se, but about commonContinue reading “Using HTTPS Properly”
Leaking Keystrokes
Windows 10’s IE11 continues to send your keystrokes over the internet in plaintext as you type in the address bar, a part of the “Search Suggestions” feature: “But I don’t search from the address bar,” you might say. That may be, but if you fail to type or paste a URL (sans protocol) into theContinue reading “Leaking Keystrokes”
Understanding CONNECT Tunnels
When a browser needs to send a HTTPS request through a proxy (like Fiddler), there’s a bit of a problem. The proxy needs to know where to send the client’s request, but the whole point of protecting traffic with HTTPS is that the content is encrypted and cannot be read by anyone else on theContinue reading “Understanding CONNECT Tunnels”
Viewing HTTPS Handshakes in Fiddler
You can easily use Fiddler to evaluate what algorithms a client is using to connect to a HTTPS server in Fiddler. First, adjust Fiddler’s configuration using Tools > Fiddler Options to enable capture of CONNECT tunnels but disable decryption: Disabling decryption is necessary because Fiddler decrypts traffic using a HTTPS man-in-the-middle technique, which means thatContinue reading “Viewing HTTPS Handshakes in Fiddler”
text/plain 