Server-side MitM detection doesn't work. It tries to compare the attributes of the TLS connection (ciphersuites, etc.) with the expected attributes of the client software as determined by the User-Agent header.
So you'll get false positives if the server's database of TLS connection attributes is out-of-date, as is happening to several commenters here.
And you'll get false negatives if the MitM mimics the purported client software, which is easy for a malicious MitM to do.
It should be made to work better. A MITM attach changes the enciphered bits, because it re-encrypts with a different key. So the enciphered bits sent and the enciphered bits received are different. If you can compare a few bits somehow, you can detect MITM attacks.
The early STU-III secure phone displayed a 2-digit number at each end. You were supposed to verify by voice that those numbers were the same. That prevented most MITM attacks.
A web site could send something that says "The first N crypto bytes were 0xa34g", and the browser could check that. An attacker would have to know to fake that to evade the check.
It's possible to make the attacker work very hard to do such a fake. A nice trick would be to have the server send a MD5-type hash of the entire page plus the first encrypted bits early in the web page. Then, send almost all of the web page, but wait a few seconds before sending the last few bytes, which could just be a random HTML comment so rendering doesn't have to wait. To fake that, the attacker not only has to know what to do to fake it, it has to wait for the entire page to transmit before it can send any of the page. So the browser sees a substantial extra delay before the page starts if there's a MITM attack which tries to fake the "first N crypto bytes" check. That's detectable automatically.
I get the red page with Firefox Developer Edition with no extensions, Chrome and Safari are green on same machine. I have all of the anti-fingerprinting stuff turned on in FF though.
Sharing for anyone who didn't know there is a very good dataset you can use now. If you don't have a nvme ssd in your computer, I highly recommend getting one for fast i/o.
[edit]
in my experience yacy works really well. You have it crawl the sites you frequently visit and their external links and it quickly accumulates to something more accurate than google.
The sad truth is Congress is the biggest offender of poor network security practices. Every time they bring in Equifax, DHS, etc to explain why they didn't practice basic IT security due diligence or due care I am reminded of the time smart people were hired to implement basic network security for Congress. Once they realized Joe in IT (who was hired to keep hackers out) can see Congressman Bob has a foot fetish, fish fetish, whatever, Congress told IT to turn everything off.
There were more serious allegations against the individual, but the gov't dropped those claims. All that was left was the fact this individual had extensive access to Congressional servers.
Spaces (like wework) has 3 floors here. This area near Ravens Football stadium is definitely getting better. But it is one of the areas that the city cares about over other areas unfortunately.
In case Netflix is dominating your time...
This is my Free Chrome plugin that will block Netflix after 1 hour and wait for you to commit something on Github to keep Netflix and Chill'n. Other options like Khan Academy are suppported.
Main goal is to get children under twelve to go outside, jump in puddles, ride their bikes. My daughter did 10 rounds of this once, 10 hours of youtube with 5 multiplication problems each hour and eventually decided youtube wasn't worth it. It helps children to disconnect for a couple minutes and re-evaluate their summer day life choices.
Oh, well if you have someone of higher authority to enforce its continued and proper usage, then obviously that's a different story.
I was originally commenting from the perspective of the plug-in as a self-help tool where its usage and existence in the browser was determined solely by the users themselves.
In a household setting, I could see it being useful in preventing kids from spending too much time in front of the computer.
Vulnhub has hundreds of virtual machine images you can download and practice with, such as metasploitable. Hack the box is great. If you want to read a blog post describing how to get admin or root on a box, google boxname walkthrough with vulnhub or hack the box in the search as well. Ippsecs's 90+ youtube videos are excellent. Check out metasploit minute videos. I also heard pentestlabs is good. Good luck!
A landline phone, at $10 a month, is a pretty decent investment for anyone who spends a lot of time at home. I almost exclusively only take interviews, meetings, etc calls from my landline, solely because of call quality issues!
I tried Robokiller on my iPhone. It wasn't even catching half the calls. I ended the trial before I got charged. Anyone know of an app that actually works?
I’m paying for RoboKiller and it has gotten signifantly better over the last couple of months. I think because it is learning based in my address books and who I typically call. I absolutely love the app and swear by it now. Especially since it also intercepts my VOIP business line as well.
I'm pretty certain that Freedom (and many other ad-blocking apps) got banned because they were using a VPN for uses other than a strict VPN. Your app uses a VPN for access control, right? Why do you think it won't be banned?
EDIT: I don't want that to sound hostile at all...genuinely curious
Fair question. There are a number of differences between apps like Freedom and StudyCity. We are aware of the recent VPN rules. StudyCity simply needs a gate to direct the student / child to take a couple of minutes to earn points on Khan Academy or another supported site. The gate can be implemented in many ways. At the moment, this is all the detail I can provide.
One way to use this plugin would be to break tasks down into manageable pieces. It is usually easier to motivate yourself to knock out a 15 min task than to do a 4 hour task.
This is not production perfect yet, but it integrates with Github, DuoLingo, and several education sites to offer similar help to develop better habits. Target market is children, but we added a github option to measure progress as an alternative to the learning sites.
