In the same direction, I once wanted to test an embedded device on crap wifi.

So I just ordered the cheapest AP I could find.

Except the damn device worked perfectly. Slow but rock solid.

One of our testers at $CURRENT_JOB also has trouble simulating a crap network, because our network is good.

• gnopgnip

  today at 8:27 PM

  You can simulate bad wifi with the throttling option on the network tab of your browser's developer tools

• Groxx

  today at 7:48 PM

  Some proxies, iptables extensions, and OS-provided tools exist - there's almost certainly a combo that would work for them. What platform?

  Unless it's for a custom physical device, then uh. idk. Probably something, proxying through another computer that is hosting a separate wifi network? But likely a lot harder.

  • nottorp

    today at 7:53 PM

    I think he figured it out eventually, used some software tool. But I heard the complaining first.

• today at 8:21 PM

https://badssl.com/ also offers several test subdomains in the same vein.

• NicolaiS

  today at 8:49 PM

  badssl.com is an amazing tool especially for testing "TLS intercepting" boxes. I've seen more than one fortune 500 company that re-sign certain broken certs with their own CA, allowing silent MITM.

Interesting. Chrome (146, macOS) shows no error messages on the revoked cert pages, but Firefox does (also macOS).

• mcpherrinm

  today at 6:02 PM

  Yeah, Chrome only partly supports revocation (Not sure exactly the criteria, but our test sites don't match it).

• moralestapia

  today at 6:39 PM

  Same with Brave, so it is a Chromium thing.

Vanadium, Chrome and Firefox (all for Android) all accept all the revoked certificates... But revoked.badssl.com is considered revoked

• RunningDroid

  today at 6:47 PM

  > Vanadium, Chrome and Firefox (all for Android) all accept all the revoked certificates... But revoked.badssl.com is considered revoked

  Firefox Beta (150.0b7) is accepting all of the revoked certs on my device

Meanwhile HTTP keeps working just fine and is decentralized.

Just "add your own crypto" on top, which is the ONLY thing a sane person would do.

3... 2... 1... banned?

• horsawlarway

  today at 7:26 PM

  to actually tackle this (on the off chance you're serious, I'm assuming not) - this doesn't work.

  The payload that implements your crypto cannot be delivered over http, because any intermediate party can just modify your implementation and trivially compromise it.

  If you don't trust TLS, you have to pre-share something. In the case of TLS and modern browser security, the "pre-shared" part is the crypto implementation running in the browser, and the default trusted store of root CAs (which lives in the browser or OS, depending).

  If you want to avoid trusting that, you've got to distribute your algorithm through an alternative channel you do trust.

  • bullen

    today at 8:21 PM

    You are right presharing is a requirement, unless you hash the keys used to encrypt the secret into the secret itself, but that can only be prooven later on a channel where the same MITM is not present.

    Work in progress, that said presharing solve(d/s) enough for the world to dump DNS and HTTPS in a bin and light it on fire now, because nobody has the power to implement all the MITM needed if everyone "makes their own crypto" on top of allready shared secrets!

    Circular arguments, wishful thinking and all...

• xandrius

  today at 5:47 PM

  Did you self-ban?

  • bullen

    today at 6:02 PM

    XD Nope, more like self destruct! ;)