Answer the question
In order to leave comments, you need to log in
How to hide \ encrypt HTTPS traffic from a sniffer? Does it make sense to use HTTPS?
Good day to all! Straight to the point.
There is an application that performs some calculations. For data, the application contacts the web server via json, sends variables, and receives data in response. Recently, the load on the server has increased. someone is trying to get ALL data by variable substitution.
As a solution, we are trying to switch to HTTPS to hide the address: set up NGINX, the browser shows a TLSv1.2 connection (while trying with self-signed certificates) and we expect the traffic to be encrypted ! And as it turned out, only Google Chrome (win) can hide traffic. there is no activity in sniffers, FireFox shows * instead of address ( https://*), but the traffic is already visible. All other browsers and applications listen with a bang and show all incoming and outgoing traffic!
Actually the question is:
How does Google Chrome hide https from a sniffer and how to hide from a sniffer in general? Or tell me how to hide, if not traffic, then at least the address and content?
While we see how:
a) Own encryption on the client.
b) Open the ssh\vpn connection with the application.
I will accept any docks \ links to docks!
Thank you in advance for your help.
Answer the question
In order to leave comments, you need to log in
You have some kind of magic, it's so easy to sniff HTTPS. Do you have HTTP completely closed, only HTTPS? And what kind of sniffer, maybe he slips his self-signed certificate to you?
Have you tried other sites with HTTPS? Google, Twitter, Facebook and some other large ones work through sertificates pinning, that is, the browser initially knows what kind of certificate it should be, and it won’t be possible to change it, but you can try it on other sites.
If you have done server authentication via TLS, this does not mean that an attacker cannot pick up parameters in a request to the server in the same way.
You need to learn how to detect and block such users.
You can also set up client authentication (or, in your case, applications). And requests to the server are accepted only after checking the client certificate or other authenticator.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question