How can I find out whether my browser traffic can be intercepted?



  • In theory, visiting a website with HTTPS and seeing the neat, little lock icon next to the address (e.g.: enter image description here) should give us a warm, cozy feeling of safety. However, how safe is it really?

    As it stands, HTTPS (if implemented correctly), can prevent man-in-the-middle attacks, so that no one knows what is exchanged between my client and the server. But that is not a given.

    Q1: Are there tools to verify whether or not the servers are set up correctly? In 2021, is (for example) Chrome Dev Tools Security tab sufficiently reliable to determine the security of the contents transferred between my client and the server? Are there scenarios, where that Security tab is all green, but (given I do not use a VPN, and my computer and (if applies) proxies are not compromised), a third party can still see my traffic?

    Aside from web content, another important piece of data to protect is the domains that I visit. In theory, a third party can easily know the IP address of the server, but can they know the domain name? E.g. TLS's plaintext SNI field can be used to find out the domains that certain clients visit. TLS 1.3 has introduced Encrypted SNI (ESNI) to circumvent censorship and tracking. Because of that, China, for example, has started banning TLS 1.3+. Cloudflare made a big point about upgrading to ESNI right away, and Firefox apparently was the first to support ESNI in 2018. Thus the question:

    Q2: How can I verify whether someone can sniff the domains of my visited servers? Are there good tools for that?

    A first answer to this question is: Cloudflare Browser Security Check. But it is not enough, since I want to check individual connections, not just my browser.



  • TLS secured web connections are the basis of the web. Within ordinary usage, this is as good as it gets.

    True, the system is not perfect and any organization capable of obtaining an appropriate cert can perform a MiTM, but this is a pretty high bar. In some ways it's like asking about counterfeiting cash, good counterfeits are difficult but not entirely impossible.

    As far as what you can personally do:

    • Check the TLS Certificate and CA
    • Encrypted SNI is still not common, although I believe Cloudflare supports it.

    If you feel you need something more:

    • Escalate to using a VPN.
    • The last practical step is to use Tor, specifically the TBB Browser.

Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2