HackerTrans
TopNewTrendsCommentsPastAskShowJobs

netresec

no profile record

comments

netresec
·5 ปีที่แล้ว·discuss
We deleted this tweet earlier today. Thanks to everyone who fact checked our statement and reached out to notify us about the mistake! A correction has been posted here: https://twitter.com/netresec/status/1440298935868743686
netresec
·5 ปีที่แล้ว·discuss
Yes. Sorry for the confusion. The original tweet has now been removed and a correction has been posted instead.
netresec
·5 ปีที่แล้ว·discuss
We first tried to post replies with corrected information, but it didn't seem to help. The tweet has now been deleted and a correction tweet has been posted instead.
netresec
·5 ปีที่แล้ว·discuss
The PCAP in the referenced tweet was created using PolarProxy, which decrypts and re-encrypts TLS traffic while saving the decrypted traffic to a PCAP file.
netresec
·5 ปีที่แล้ว·discuss
MitM'ing the traffic using a trusted root CA allows TLS traffic to be decrypted, even if perfect forward secrecy is used. That's what we did to produce the decrypted PCAP shown in the Wireshark screenshot.
netresec
·5 ปีที่แล้ว·discuss
You are completely right. The traffic was sent as TLS encrypted HTTP/2 traffic to Microsoft. We decrypted it using PolarProxy in order to see what was transmitted. The screenshot in the tweet shows the decrypted PCAP generated by PolarProxy.
netresec
·5 ปีที่แล้ว·discuss
You are correct. This traffic was not generated by typing text into the "run box", it was generated by typing text into the "start menu box". We are very sorry for the confusion this has caused. The wireshark screenshot shown in our tweet was showing TLS traffic that has been decrypted by PolarProxy. That’s why it shows up as HTTP/2 traffic over TCP port 80.