28 April 2021
Is a web site safe to visit?
The web browser displays a padlock (or lock) to indicate a secure communication channel between the web browser and the web server on which the web site is hosted.
The next video shows a user visiting some web sites. The communication between the web browser and the web sites is decrypted in real-time and displayed in the window behind the web browser.
The web browser displays a padlock even though the communication is not private.
The Transport Layer Security (TLS) Protocol is recommended for secure communication.
The National Security Agency (NSA) emphatically recommends replacing obsolete protocol configurations with ones that utilize strong encryption and authentication to protect all sensitive information.
Le protocole TLS est une des solutions les plus répandues pour la protection des flux réseau.
The technical specification for the protocol states that the web browser is « responsible for verifying the integrity of certificates and should generally support certificate revocation messages. Absent a specific indication from an application profile, certificates should always be verified to ensure proper signing by a trusted certificate authority (CA).»
Can the secure communication channel (TLS) be decrypted by a third-party?
Were these web sites protected from communications surveillance?
192.0.2.1:48462: GET https://connect.facebook.net/en_US/sdk.js?hash=627fc12fa324537f6f678c4f586b7204&ua=modern_es6 HTTP/2.0
origin: https://www.instagram.com
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
accept: */*
sec-fetch-site: cross-site
sec-fetch-mode: cors
sec-fetch-dest: script
referer: https://www.instagram.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
<< HTTP/2.0 200 OK 64.48k
access-control-expose-headers: X-FB-Content-MD5
etag: "e201fe10e07aadcdf46bd119ff7fdc4e"
timing-allow-origin: *
x-frame-options: DENY
content-encoding: gzip
x-fb-content-md5: 9fa801b03fcc6a9bbee22f20f5930a89
access-control-allow-origin: *
cross-origin-resource-policy: cross-origin
vary: Accept-Encoding
cross-origin-embedder-policy-report-only: require-corp;report-to="coep_report"
strict-transport-security: max-age=31536000; preload; includeSubDomains
content-type: application/x-javascript; charset=utf-8
x-content-type-options: nosniff
report-to: {"group":"coep_report","max_age":86400,"endpoints":[{"url":"https:\\/\\/www.facebook.com\\/browser_reporting\\/"}]}
x-fb-rlafr: 0
cache-control: public,max-age=31536000,stale-while-revalidate=3600,immutable
expires: Wed, 27 Apr 2022 10:03:43 GMT
content-md5: k/tcmZv9MAVppfuj7hjtZg==
x-fb-debug: Bvc/TzvGX2q7CoAw7cXrrAm8OFDN4PmCFli9EJeZhx0HGHwnxlmGzn6JLbMpLphFwZ1MUSWsFTRP6b/Jx/w6dA==
priority: u=3,i
content-length: 66027
date: Tue, 27 Apr 2021 11:29:23 GMT
alt-svc: h3-29=":443"; ma=3600,h3-27=":443"; ma=3600
Questions?
Private information sent to a web site can be decrypted in real-time. The next video shows a user logging into twitter.com. The login information is decrypted and displayed in the terminal window.