With this blog entry I thought I would ask a question.
As you would expect, someone with my background has a home network that is someone different to that of the average home user. Part of that is the use of a web proxy server, so all devices need to go via that to access the outside world over http-type protocols; including devices such as phones.
This can be very interesting; learning what devices actually want to talk to; which obey your proxy settings and which attempt to go direct.
If we take a Samsung android phone, for example. I see invalid requests which show up as the following on the web proxy (these aren't valid proxy requests if you look at a packet capture):
We also see the usually 'big data' connections you now get with large corporates, such as:
What sparked by interest here is that it is an SSL connection over port 80. I quick nc and s_client connect prove it is SSL. This then showed it was self-signed.
Now, in of itself self-signed may not be a problem. If the app already knows what to expect via other channels, it just infers we don't know about the trust.
What is interesting is the depth; no cert chain and it uses a wildcard address.
If we then look at the cert itself, things get even more intriguing.
Yes; the certificate on the remote server is a CA with a weak key.
Before going down the rabbit hole, I'm sure others have looked at this. Not just the specific questions with Samsung android devices and what they connect to, but the general question of production servers (i.e. those used by paying customers, and/or have live data) using such suspect setups. I certainly recall the issues with Samsung TVs not encrypting customer data.