[olug] Cert Tapioca transparent network proxy finds 23, 667 Android apps that fail to validate SSL
Rob Townley
rob.townley at gmail.com
Sun Mar 1 13:13:55 CST 2015
Aric, you really dredged up something ugly on the internet. i certainly
could not trust any of those sites with a password nor want to download
anything from them. _Assuming_ cdngc.net is a true Content Distribution
Network, it looks like a horrible way to host SSL. They needed different
IP addresses or at least support _secure_ renegotiation but since ricoh.com
does not do secure renegotiation, none of those sites do.
NetCraft says "PWS/8.1.20.9" hosts the site. Could it really be a very
old Windows Personal Web Server?
http://toolbar.netcraft.com/site_report?url=http://www.ricoh.com
Secure Renegotiation is definitely not supported..
https://www.ssllabs.com/ssltest/analyze.html?d=www.ricoh.com&s=174.35.6.8
My 6yr old had a phone for 10 minutes Friday and installed Candy Crush
Saga.
On Sat, Feb 28, 2015 at 3:03 PM, Aric Aasgaard <aric at omahax.com> wrote:
> I guess I had Shark for Root installed on my old phone, odd that I didn't
> find it with a quick search.
>
> It looks like they just make a tunnel and send whatever they want through
> the tunnel.
> You cannot easily inspect the encrypted traffic against signatures.
>
> Do SAN certificates with a bunch of seemingly non-related Subject
> Alternative Names like this seem sketchy to any of you?
>
> http://certificate.fyicenter.com/726_Publishers_ssl.cdngc.net_CDNetworks_Inc
> ._L_San_Jose_ST_Ca.html
> .....or look at the certificate for this site https://www.ricoh.com/
> ..........I guess they would be useful for reverse proxy servers.
>
> It just seems odd that Candy Crush Saga would use the same certificate as
> Toyota.
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>
More information about the OLUG
mailing list