@kragen "SSL spoofing is not needed, Windows Update falls back to plaintext HTTP"
O_o
-
-
Replying to @slightlylate
@slightlylate It depends on the signature on the file it downloads which is a reasonable thing to do, if the sig algo is secure, not MD5.1 reply 0 retweets 0 likes -
Replying to @slightlylate
@slightlylate Well, *someone* has to invent it. Otherwise it won't get invented and we'll all be using knapsack signatures and MD2.2 replies 0 retweets 1 like -
Replying to @slightlylate
@slightlylate@kragen the public-facing windows update team absolutely had some of the world's most qualified engineers for this3 replies 1 retweet 2 likes -
Replying to @hillbrad
@hillbrad@slightlylate@kragen TLS is actually a dangerous way to delivery security updates; a bug/vuln in TLS stack can stop all updating.2 replies 3 retweets 2 likes -
Replying to @BRIAN_____
@BRIAN_____@kragen@hillbrad@slightlylate it's orders of magnitude to get TLS right than file oriented crypto4 replies 0 retweets 1 like -
Replying to @dakami
@dakami@kragen@hillbrad@slightlylate Orders of magnitude easier or harder?1 reply 0 retweets 0 likes -
Replying to @BRIAN_____
@BRIAN_____@kragen@hillbrad@slightlylate easier. Evilgrade much simpler and more devastating than all the clever TLS attacks3 replies 1 retweet 1 like
@dakami @kragen @hillbrad @slightlylate It is very easy to DoS yourself with TLS, e.g. Chrome's HPKP & similar attempts at pinning.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.