1) security.nl
2) http:⧸⧸gw.defensie.nl
3) https:⧸⧸gemeente.amsterdam
Nb. in 2 en 3 heb ik ⧸⧸ i.p.v. // gebruikt om te voorkómen dat Mastodon er resp.
http://gw.defensie.nl
en
https://gemeente.amsterdam
van maakt (m.i. zou Mastodon OP Z'N MINST "http://" in link 2 moeten laten zien).
Zie https://www.security.nl/posting/904650/security_nl+-%3E+http%3A__security_nl.
#httpVShttps #AitM #QRcodes #EvilTwin #PublicWifi #InfoSec #httpsVShttp #E2EE #Tunnel #TLS #SSL
@jscalzi : please stop using a http links if websites support https.
By specifying https://vote.org (or https://vote.org/ which gives the same result) in a link, or by typing https://vote.org in the address bar of your browser, there are three possibilities:
1) the browser connects to the _real_ vote.org website;
2) the browser displays a certificate error (never continue in such a case);
3) extemely unlikely (see [1]): the browser connects to a fake website that managed to obtain a valid certificate for the vote.org domain name.
(Note: I used the Unicode '/' character instead of the regular slash char '/' to prevent Mastodon from hiding the protocol).
By default, _none_ of the popular web browsers prevents active (i.e. not passive) criminals from successfully conducting Man-in-the-Middle attacks - if the first connection-attempt uses http.
Most browsers _may_ TRY https first, but an attacker can block that request, forcing the browser to downgrade to http (if the user explicitly requested https, such a downgrade to http will _not_ happen).
Such attacks can be conducted in various ways, such as by using an "evil twin" WiFi access point (https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/) or by manipulating DNS replies to browsers.
Note: the domain "vote.org" is currently _not_ listed in the HSTS preload list (apparently it was removed because of stupidities): https://hstspreload.org/?domain=vote.org (being listed would _force_ browsers to use https, even if "the user" requested http by tapping on such a link).
See also the unnecessarily poor results in https://internet.nl/site/vote.org/2883671/
Unfortunately also @BleepingComputer regularly uses unnecessary http links in their articles.
[1] More info: https://infosec.exchange/@Bitwiper/112779974228111155
#http #https #httpsvshttp#httpvshttps #AitM #MitM #EvilTwin #DNS #DNSAttacks #DV #DomainValidated #DomainValidation #Certificates #TLSCertificates #httpsCertificates #httpsServerCertificates #ServerCertificates #Authentication #Impersonation
Bitwiper