Gidley's Gossipings

A blog about not much really

Man in the middle is easier than you think

I’m often heard saying it’s quite easy to MITM HTTPS (also called SSL/TLS) and decided that maybe I should list all the methods I know of (there are quite a few). The attacker has many options to try and get in the middle between the user and web server/API Pure Technical Approaches Zero Day Vulnerabilities in browsers TLS/SSL Breaks Incorrectly Issued Trusted Certificate Aquire vendor issued ‘trusted’ certificate Social Engineering Approaches Convince user to install MITM certificate Convince user to install software Malicious Browser Extensions Conclusion Pure Technical Approaches The pure technical approaches rely on attacks that don’t require users to make any mistakes and anyone can be vulnerable. Read more →

mitm key

To continue my MITM attacks theme - someone has just release a nice USB key that ransacks your PC - Ars Technica has a good write up. This kind of thing is very dangerous as it’s really easy to get people to put USB keys into computers! I’m currently writing a longer article on the (many) ways to MITM TLS to help explain how easy it is! Read more →

malware and https

I’m often heard worrying about the state of HTTPS and the ease to get users to do things that make it basically not function - but I’ll admit evidence of real world attacks is thin on the ground. There is a systematic reason for the lack of information - if a hacker uses a Man-In-The-Middle (MITM) technique to hack HTTPS there is very little evidence left and all thart will happen is the stolen data will turn up in a list at some point in the future. Read more →

Booth eye tracking

Recently I was at a Trade Show (Money 2020 in Las Vegas) and was wondering how effective the booth designs were at getting people’s attention. There seem to be a number of apporaches people try Big Pictures to grab attention Videos on loop explaining stuff ‘Gimmicks’ on the stand Live Talks Text explaining products Slogans explaining mission What’s not clear to me is which of these actually work. Annecdotially you can watch people go buy and see what they look at, and then observe who engages. Read more →

Why is there such a thing as default passwords?

Why in 2016 are people still shipping software and devices with default passwords? The recent IOT/Botnet that broke large chunks of the internet was entirely avoidable if the devices had been shipped without default passwords. This is perfectly within the capability of a device manufactuer - even British Telecom (who have many many issues) have been shipping their devices with randomized passwords printed on a sticker on the device for years. Read more →

Google Pixel - Initial Review

I ordered a Google Pixel when they were released as I needed a new personal Android phone and generally the Nexus line has been very good, so I thought I’d try the Pixel. Some initial comments It looks nice, it compares well to my (work) iPhone 6 from a looks point of view The finger print reader is great, so far much more accurate and quick than my iphone one which seems to be getting slower and slower The USB cable ‘port your phone’ thing didn’t work at all with my old Android Phone (A Moto X). Read more →

New Website

I’ve decided to finally move this site off blogger. It wasn’t adding much value so I’ve gone old-skool back to static HTML using Hugo. The site is using a AMP based template so it should be super quick and responsive. Read more →