undefined | Better HN

0 pointsSomeone11y ago0 comments

And if you can't make head or tails of it, you may conclude "good, it seems encrypted. Unfortunately, that means I cannot tell what they send to their server".

0 comments

joshfraser11y ago

I assume you'd set up a custom CA on your proxy so you can spy on the https traffic. I'd be suspicious if I saw large blogs of data that had been encrypted in the application instead of at the network layer.

Ded7xSEoPKYNsDd11y ago

But then best practices say you should be doing cert pinning. That will block your CA.

Although for most apps modifying that check to look for another cert is probably not too hard. (But of course if the app is obfuscated and does integrity checks on itself, it can get arbitrarily complicated.)

voltagex_11y ago

I visit sites with cert pinning at $EMPLOYER. $EMPLOYER runs a very expensive solution from Blue Coat which includes a MITM CA - no issues intercepting anything here. Amusingly, this meant the proxy itself was vulnerable to Heartblead while the client machines were not.

1 more reply

j / k navigate · click thread line to collapse