[squid-dev] proof of concept for mitm attack for all ssl including pinned certificates

Eliezer Croitoru eliezer at ngtech.co.il
Wed Sep 27 17:51:54 UTC 2017


Hey,

What exactly do you mean by proof of concept for such an attack?
With commodity hardware and normal budget you cannot attack pinned certificate.
The only "efficient" way to enable such an attack would be to patch the client side OS memory or Binary.

The are other attacks like downgrading from a secure version of TLS\SSL into a non secure one but all these attacks probably do not exist in applications which pin certificates in their binaries.

Eliezer

* If someone else know more then me about the subject just ignore my words and listen to the experts.

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: squid-dev [mailto:squid-dev-bounces at lists.squid-cache.org] On Behalf Of stern0m1
Sent: Wednesday, September 27, 2017 18:25
To: squid-dev at lists.squid-cache.org
Subject: [squid-dev] proof of concept for mitm attack for all ssl including pinned certificates

Hi,
I am new to squid, please pardon me if this has already been discussed.

Is there a proof of concept somewhere to successfully use squid as a
transparent proxy for  a mitm attack for sites/applications with pinned a
pinned certificate?

Thanks




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Development-f1042840.html
_______________________________________________
squid-dev mailing list
squid-dev at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev



More information about the squid-dev mailing list