Would frequently changing the passphrase through a physical connection provide a level of defense against recent WPA2 encryption breach techniques?
No, changing the passphrase will not help, that has been covered in the announcement.
Use only HTTPS or a VPN.
For Windows and Linux get the patch, for Apple get the beta, for Android pray your phone will receive a patch.
For Linux and Android it is very serious because the key will be reset to all zeros, for Windows and Mac that will not happen because they did not follow the spec to the letter.
See The Hacker News, Naked Security and Key Reinstallation Attacks.
Related
I am trying the proxy the network traffic from my iPhone to Mac via Charles Proxy, below are the versions i am using:
iPhone - model 13, OS - 15.4
Mac - OS - Monterey (12.2.3)
Charles - 4.6.2 (licensed)
I installed Charles on Mac, enabled SSL Proxying, added generic IP (0.0.0.0/0) in Access Control Settings, got the local IP address from Help and used it on my iPhone wifi settings - Proxy > manual > local IP from Charles and port 8888.
As soon as i do this my phone is not able to connect to internet at all. I have seen various instructions about adding root certificate, enabling trust settings etc, but those all can be done only if am able to connect to internet to download the certificates. Which i am unable to.
I went through every question on this site which mentions Charles proxy, but none could provide any solution to my problem so appreciate any inputs on this.
If there is no important information in your phone, you can reset the network settings first, then try the following
Make sure that both the computer and the phone are not using a virtual private network
The computer and the phone are in the same network environment
The computer has the Charles root certificate installed
The phone has successfully installed Charles' certificate and trusts it.
If the above suggestions don't help you, I suggest starting from scratch and troubleshooting the problem step by step
Let's take mobile phones and computers accessing https://www.google.com separately as an example
After the computer installs the certificate, can it be connected to the Internet normally, and can it crawl Google's response request?
The mobile phone and the computer are on the same network segment and use the proxy URL provided by charles. Can you access and download the certificate?
3. On the computer, does Charles pop up an access prompt and ask you to choose whether to agree to the access?
Turn off the computer-side crawling and access it on the mobile phone to see if it can crawl the response request on the mobile phone.
Next time, check the firewall in the security and privacy settings. It should not block Charles' incoming connections. I spent two hours trying to figure out what was going on
I need to be able to capture HTTP(S) requests from Android and iOS devices, for both Browsers and, in the future, for Native apps for testing purposes mainly.
Some aspects to consider:
There are a lot of devices/iOS combinations to support, so the only viable solution is to use a Cloud Browser provider like SauceLabs, BrowserStack, etc.
Preferably, I would use Real devices, not Emulators/Simulators
We could make any kind of tweaks for the staging environment of the site under test in case is needed
Same for the native applications
My first attempt was to give it a try with FiddlerCore, and while it works on Android, it doesn't work on iOS because of the self-signed certificate that would require to be trusted manually (leaving aside the fact that due to security reasons, no Cloud Browser provider would allow you to do it).
So, next I thought of creating a proxy server and buying a Trusted CA Signed Certificate (e.g. Comodo, GoDaddy, etc), setup the device to use that proxy server and then fetch in my tests the requests and responses from it.
I don't know much about Certificates and don't have extensive experience Appium, so the following questions arise:
Will the setup mentioned above, using a proxy server and trusted CA signed cert suffice for iOS not to complain that the certificate is not trusted? Note that I won't be able to manually accept the cert on the device (in case it's needed).
In case the setup above will work, is it possible to setup using Appium the proxy settings on the device? As far as I know, Appium can interact with Android Settings menu, but I'm not sure about iOS.
Is there anything that I missed or that I could keep mind?
I am trying to find what is the default implementation of BlackBerry for TLS protocol. Does it default to 1.0 or 1.1 or 1.2.
I am trying to find 1. What versions are TLS are supported 2. What is the default?
I have an app on BB world that connects to a back office server. The server team has decided to deprecate TLSv1.0. I am trying to find if this will impact my customers?
Current versions of BB10 do indeed support TLS 1.2 which you can test by using tools provided by SSL Labs. Unfortunately that is not the end of the story.
TLS is a protocol which specifies how to set up and use an encrypted connection. It does not set absolute requirements on encryption algorithm support however. I am aware of one documented case of an issue connecting with some Exchange Active Sync servers because the BB10 device and the server as configured do not have any cypher suites in common. Other EAS servers that are configured differently do not present this issue to BB10 devices.
What you need to do is find out specifically how the server team is going to configure TLS, and what they are going to accept for connections.
I am having a problem since upgrading to Xcode 8 from 7.3.1.I am behind a proxy at work and the simulator will not make any connections to web services though my app although Safari on the simulator works.Everything works fine when I try outside the proxy and it works fine with 7.3.1.Does anyone now of any changes with Xcode 8 & iOS 10 that I need to make?
The Simulator runs a separate iOS/watchOS/tvOS userspace but shares the host macOS kernel. NSURLSession in the Simulator has its own cache but uses the host socket layer.
Try the relevant URI in Safari in the Simulator and see what you get. If your proxy is performing a man-in-the-middle attack on SSL connections they will be rejected as invalid. If your proxy requires authentication it won't work because the Simulator keychain is separate from the host keychain (though this was done in Xcode 7 so it isn't new).
FTW: We do not recommend that proxies MITM SSL connections; that leaves you dangerously exposed to attackers operating inside the corporate firewall, which is extremely common these days thanks to phishing attacks.
We also highly recommend that you limit ATS exceptions to the absolute minimum required. If your webservice is using insecure SSL settings you should upgrade your webservice, rather than down-grading your users to vulnerable connections. If there is only one or two third-party hosts you need to connect to, limit your ATS exceptions to just those hosts.
If none of this helps please file a bug at https://bugreporter.apple.com. Include the output of sysdiagnose and ~/Library/Logs/CoreSimulator.
I've been using Burp Suite to inspect HTTP traffic but for HTTPS traffic I've been unable to do so. I tried extracting Burps certificate and dropping it into the simulator and installing it, but my network calls still seem to be silently failing.
Burp is the simplest option so I'd like to know how to get it to work.
Check out the shell script written by the good folks over at Charles Proxy.
It installs automatically to the iPhone simulator. You should be able to use the same approach for Burp.
You can email yourself the cert to install it on a device. Another option is to modify your app to ignore the usual checks for the SSL cert, but don't forget to take it out for production.
Also the book Hacking and Securing iOS applications has tons of awesome advice if you're into stuff like this.
Here's another answer that must be where I got the idea of using the Charles script: Adding a self-signed certificate to iphone Simulator?
And another answer that might be relevant: iPhone TrustStore CA certificates