tag:blogger.com,1999:blog-3993498847203183398.post7522775467944328442..comments2024-03-28T09:19:27.451+00:00Comments on RevK<sup>®</sup>'s ramblings: Barclays on-line banking bugRevKhttp://www.blogger.com/profile/12369263214193333422noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-3993498847203183398.post-54218107491934441112018-06-09T11:36:45.358+01:002018-06-09T11:36:45.358+01:00This will be a great website, might you be interes...This will be a great website, might you be interested in doing an interview about how you developed it? If so e-mail me! <a href="https://letmebank.com/best-second-chance-banks" rel="nofollow">second chance banking peoples bank</a><br />mtomhttps://www.blogger.com/profile/15864302221310251976noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-7176980062830824252017-11-04T13:55:53.897+00:002017-11-04T13:55:53.897+00:00Couldn't help but think of this blog entry whi...Couldn't help but think of this blog entry while on the phone to Metro Bank a few minutes ago. Something minor has gone wrong in their system and has blocked one particular feature of one of my accounts. The same feature works fine on the other two accounts, so we know the browser is capable of handling this feature without problems. They are flat out refusing to accept the problem report unless I give them the browser version. So stalemate then! "No stupid bank rules" is their motto.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-69994384646243906022017-04-18T15:40:31.207+01:002017-04-18T15:40:31.207+01:00With the increasing number of services using SSL, ...With the increasing number of services using SSL, almost all solutions where web filtering is required (schools, public sector etc) are MITM now. It's the norm unfortunately.Robnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-26779148593217077192017-04-08T10:24:27.389+01:002017-04-08T10:24:27.389+01:00That's a good point: is the consent of one of ...That's a good point: is the consent of one of the two ends of a communication sufficient for this? I'm not at all sure it is; certainly with phone calls, *both* parties must be made aware of the surveillance and its purpose for it to be legal, which is why call centres state explicitly that calls are recorded for stated purposes.<br /><br />Based on the phone rules, I would say SSL MITM should *not* be legal, and certainly shouldn't be tolerated generally; better to disable connectivity than to spy on it with dubious legality.<br /><br />It's apparently possible (at least some of the time) for the server to detect this interception (I think the usual giveaway is that each browser has slightly different SSL/TLS parameters, so of course the intercepting device won't match exactly).<br /><br />It's also quite possible not all their assets are served from the same server, with static content from a different hostname than dynamic. They've probably had problems in the past with crappier ISPs blocking the CDN or similar.<br /><br />(I had a client - government agency in fact - having problems with their "firewall" tampering with content. It turned out to be shoving a Javascript comment into each JS file downloaded, at the end of the file or X kb, whichever came first - so on larger files, it broke the Javascript. Switching to HTTPS fixed that, but other similar "security" products do HTTPS interception too...)jas88https://www.blogger.com/profile/05563592458314214904noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-48255530927383879032017-04-08T08:49:37.560+01:002017-04-08T08:49:37.560+01:00You say that, but this is intercepting communicati...You say that, but this is intercepting communications. Does the other end of those communications (the web site) know that it is happening and have they consented? If not, are you sure it is legal? Consider the case reversed where web site knows some isp does mitm for profiling or something without end user knowing?RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-18352303622768739932017-04-07T20:43:06.512+01:002017-04-07T20:43:06.512+01:00This is legal as long as people are aware it is ha...This is legal as long as people are aware it is happening and many companies do it. I am aware of some companies who pass through without MITM the traffic to financial services, healthcare, some charities etc. as a courtesy to their employees. mbastudierhttps://www.blogger.com/profile/03678163083804464298noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-55900016634669330422017-04-05T23:57:39.172+01:002017-04-05T23:57:39.172+01:00It may just be standard questions for all troubles...It may just be standard questions for all troubleshooting. Remember its first line RevK. Having worked in FirstLine (for O2 Broadband before it went away) a lot of folk who are hired don't know that a Mac Address isn't where you get a burger.<br /><br />Typically what passes as training is a scattergun approach of solutions without any actual diagnosis, followed by a standard template where they're expected to fill it completely.<br /><br />So thats why.Chad Hhttps://www.blogger.com/profile/06466797076721870606noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-48876513196114862242017-04-05T23:34:00.081+01:002017-04-05T23:34:00.081+01:00Really? There are companies that do MITM attacks o...Really? There are companies that do MITM attacks on their own employees? I suspect that may be illegal in the EU, I thought the courts had ruled it's OK to use work systems for a small amount of personal use and it is reasonable to expect privacy on that. Or am I mis-remembering something?Owen Smithhttps://www.blogger.com/profile/00890951742186614705noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-71854078262799200502017-04-05T14:26:32.630+01:002017-04-05T14:26:32.630+01:00In case your isp is Verizon, some lying scumbag ou...In case your isp is Verizon, some lying scumbag outfit that intentionally perverts data sent upstream.Cecil Wardhttps://www.blogger.com/profile/16477035597238561739noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-15787566275892484492017-04-05T11:34:06.797+01:002017-04-05T11:34:06.797+01:00Probably just a standard response in response to i...Probably just a standard response in response to issues reported with online banking, prior to it being sent to a more technical team.<br /><br />For example, you might be reporting that online banking doesn't load at all, and you might reply to the ISP question that you're using it from work, and then it might turn out they are doing HTTPS MITM monitoring (as my work do, via a root cert they install on their machines).<br />rtho782https://www.blogger.com/profile/02052870855136709228noreply@blogger.com