Meine Beobachtungen zeigen, dass Certificate-Pinning bei Apps nicht immer als Schutzmechanismus eingesetzt wird, sondern häufig dazu dient, rechtlich fragwürdige Praktiken und (kalkulierte) Datenschutzverstöße zu verschleiern. Auszug aus dem demnächst erscheinenden Artikel »In den Datenstrom eintauchen: Ein Werkzeugkasten für Tester von Android-Apps«.
@bagder daniel, i respect and admire you for your considerate and respectful behavior, but would it be appropriate to point out the potential of unintended #mitm interception more clearly in this case?
i mean, the title could also have been "apple does not want you to notice when you are being wiretapped", or do i miss any other precaution they took for this not to happen?
also, i find it shocking that i don't find this shocking any more… 🤯
So I think my partner @owen is experiencing a @signalapp#MitM attack... I suspect on the part of the phone manufacturer, #Unihertz
How can I...I don't know, prove this? Fix it?
Here's what I did so far to troubleshoot:
@owen received a new phone, a Unihertz Atom L, and switched his Signal over to it. As I try to make a habit of, I called him over to verify our "security number". The check failed. The first sign of trouble.
To reduce the risk of such attacks in the future an early stage service called CertWatch has been published by our Community: https://certwatch.xmpp.net/
@br00t4c
Meanwhile the news outlet above is being man-in-the-middled by Cloud(G)lare. We hope that no one thinks the password they use to access that outlet is protected by the padlock they see.
The problem has been documented from as far back as 2017 but the calls by privacy activists have fallen on corrupted ears.
The way Medibank is still #MITM'd by military-contracted 'scam'azon
This service allows you to check your XMPP server's #TLS setup, helps you publicly store the hash of the public key in a secure way, and then monitors your server to make sure that connections to it get the same public key that you have configured and sends notifications if anything changes (which may indicate a #mitm attack on your service).
I'd take these allegations with a grain of salt. But I must say that MitM'ing with a #LetsEncrypt certificate and then forgetting to renew it, leading to discovery, sounds like the most German law enforcement thing ever.
Looks like a transparent bridge was deployed in front of the actual server, obtained dedicated certificates from #LetsEncrypt and MitMed all incoming client connections since July. It was discovered because the LE certificate expired 🤦
@heiseonline Verhinderung von #MITM ist ein Problem, was sich exakt lösen kann (Verschlüsselung, Zertifikate, …). Wieso bitte braucht man dazu #DeepLearning? 🤯
Verzichtbar für alle die kein #DigitalSnakeoil verkaufen oder kaufen wollen, denn da bieten einem drölfzig Marken denselben #Scam von wegen "Installier' unseren Kernelhack in dein #Binaryblob-#Govware-OS um dieses sicher zu machen oder schieb' dir gleich unsere #MITM-#Appliance im 19"-Format ins LAN und #backdoor|e deinen gesamten #SSL-Traffic onsite für umfangreiche Verarsche und Pseudosicherheit!"
Box.com hosting a page which goes to Cloudflare protected #MITM / #AITM#phishing
As usual, the whole trust on corporate URLs is going down big time. I have seen abuses on Microsoft,LinkedIn,Notion,Box and Zoho in a matter of couple of days.
HELP! This instance will close down in one month without funds.
WORKING BEE
We're donating 10 SOLID HOURS of VISUAL DESIGN WORK as pro-designers ready to work for a AUD$250+ donation for this great instance. No email pls, DMs only! *some work pictured
Help 'activism' open-worlds to those who need it.
BOOST to help a miracle happen. Maybe such miracles are only reserved for those with (#MITM) "connections"?
Using CloudFlare and other corporate MitM "services" to protect your server against DDOS attacks? Looking for an ethical replacement? Cory Doctorow is using Deflect for pluralistic.net: