zlacker

[parent] [thread] 3 comments
1. aneutr+(OP)[view] [source] 2023-10-13 21:50:41
While if possible, it's the best course of action, the truth is these days additions like HSTS make it extremely difficult to MITM.

Additionally, MITM and trying things out on a toaster are one thing, doing the same on a 40k$ machine that can potentially make it impossible to do your commute is another.

This is IMO a prime example where the double team rev eng is key to success: one documents the API, the other uses it without having access to code (whiteroom)

replies(1): >>amelia+AG
2. amelia+AG[view] [source] 2023-10-14 07:02:38
>>aneutr+(OP)
Nitpick: HSTS doesn't interfere with MITM. You're thinking of certificate pinning.
replies(2): >>aneutr+eN >>LoganD+QBc
◧◩
3. aneutr+eN[view] [source] [discussion] 2023-10-14 08:54:04
>>amelia+AG
You are right, I was thinking of stapling but wrote HSTS. Thanks
◧◩
4. LoganD+QBc[view] [source] [discussion] 2023-10-18 03:17:54
>>amelia+AG
HSTS interferes with MITM when the mobile device in question doesn't allow you to install new certificate authorities (as is slowly becoming the case).
[go to top]