According to Cloudflare roughly 18% of HTTPS connections are currently being intercepted (man-in-the-middle):

@fribbledom and that's a conservative estimate based on what they can prove

@fribbledom Are they including themselves in that statistic? :blobthinking:

@fribbledom makes me worry about protonvpn again..

Hmm `protonvpn-cli` tool wgets stuff from if that is middlemanned, probably they can subsequently middleman the VPN...

Made a git log the state of the files that tool gets to track it.. Not really useful in hindsight. Still feel there should be a gpg public key you can get off-channel, to check the certificates are right. Perhaps also a second https server using different certificates..

@fribbledom It's nice to see people starting to openly admit that https is broken.

@tfb @fribbledom That's what happens when the system is fed with CAs by snake oil and even on customer request. I had a customer that wanted me to install such a CA to work with their internal API. I refused and fiddled around with the project until I got it to run with custom bundle that was not used by the rest of the system. All the other people on the project simply did this - and used their VPN "software" on top. It's the way people "wave off" cert warnings or installations.

@requiem @fribbledom Yep. And although my company uses CF for their DNS service (long story that doesn't end well), **none** of our zones are intercepted by CF's services.

They worked good for the first couple of months we used them, but started noticing intermittent and hard to diagnose problems with our API and web services. As soon as we turned the interception off, things magically improved.

@fribbledom A couple of weeks ago at work, I was on a conference call with our firewall vendor, where they bragged about how good a TLS MITM they could sell us (for our protection, of course). When I asked what they did for sites that implement MITM defences, such as HPKP, TLSA or CAA, I got the phone equivalent of a blank stare.

I wonder if the honest answer would have been "no server implements it", "no client implements it", or "the users will ignore the warnings".

How exactly do you intercept a secure connection tho?

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!