SSL TLS HTTPS Web Server Certificate Fingerprints  

Public and Private keys form cryptographically matched pairs. It is not feasible to derive one from the other, yet what one encrypts only the matching other can decrypt. Website SSL security certificates provide the site’s Public cryptographic key which is the public side of the server’s secret Private cryptographic key which is never publicly disclosed. Only the certificate’s public key can be used to encrypt data which the remote server can decrypt only using its matching private key. Since the SSL Proxy Appliance does not have the private key of the remote server—because only the remote server has it—the fake & fraudulent certificate the SSL Proxy provides to the user’s web browser is forced to use a different public key for which it does have a matching private key. And that means that no matter how hard any SSL-intercepting Proxy Appliance may try to spoof and fake any other server’s certificate, the certificate’s public key MUST BE DIFFERENT

via GRC | SSL TLS HTTPS Web Server Certificate Fingerprints  

The remote server’s REAL certificate and the SSL Appliance’s FAKED certificate MUST HAVE AND WILL HAVE radically different fingerprints.  They will not be remotely similar..

How to block flash videos using Squid proxy Server

A popular request is to block certain content types from being served to clients. Squid currently can not do “content inspection” to decide on the file type based on the contents, but it is able to block HTTP replies based on the servers’ content MIME Type reply.

via How to block flash videos using Squid proxy Server | Linux Blog.

Google now proxies images sent to Gmail users

It’s simple for senders to do this. Embed in each message a viewable image—or if you’re feeling sneaky, a nearly invisible image—that contains a long, random-looking string in the URL that’s unique to each receiver or e-mail. When Google proxy servers request the image, the sender knows the user or message corresponding to the unique URL is active or has been viewed. In Moore’s tests, the proxy servers requested the image each subsequent time the Gmail message was opened, at least when he cleared the temporary Internet cache of his browser. That behavior could allow marketers—or possibly lawyers, stalkers, or other senders with questionable motives—to glean details many receivers would prefer to keep to themselves. For instance, a sender could track how often or at what times a Gmail user opened a particular message.

via Dear Gmailer: I know what you read last summer (and last night and today) | Ars Technica.

The key to this issue is that Gmail now defaults to images on in email which should always be off.  In order to fix this Google must cache all images upon receipt of every email.  Doing it when a user requests an email defeats the entire purpose.  It’s always good practice to view with images off on all email no matter what the provider claims.

Nokia’s MITM on HTTPS traffic from their phone

From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature.

via Nokia’s MITM on HTTPS traffic from their phone « Treasure Hunt.