|
|
|
|
|
|
by toast0
1694 days ago
|
|
|
HTTPS is secure point to point. It's easy to make an HTTPS endpoint that displays your request via skywriter or whatever. There should be no guarantee or suggestion that having https along one part of the journey means the whole thing is secure (but you do/did get a lock icon in the browser). Protection from MITM with HTTPS and TLS in general relies on certificate validation (or exotic key setup). Commonly used browsers do a good job (baring whatever security issues are found from time to time), but apps are mixed. Sometimes they accept any certificate, from any issuer, including self-signed certificates. Sometimes, the certificate needs to match the domain, but any issuer is fine, including self-signed. Sometimes, the certificate needs to match the domain and be issued by a widely accepted CA. Sometimes, the certificate needs to be issued by one of a small list of issuers, but any domain is fine. Sometimes, the certificate needs a matching domain and be from a small list of issuers. Also, not all apps check certificate expiration. There are a lot of ways to do it wrong here, so the app says https or uses port 443 or even wireshark shows TLS doesn't tell you much. |
|
|