@alexstamos @_mwc @sleevi_ Also, LV is purported to be a way to help poor people, but you'd have to be very rich to get an LV cert.
-
-
-
@BRIAN_____@alexstamos@_mwc@sleevi_ -- you'd have to be very rich to get an LV cert to profit off of poor people at their risk.
End of conversation
New conversation -
-
-
@BRIAN_____@alexstamos@_mwc Right, the risk in SHA-1 is issuance; as long as new certs are issued, everyone who still trusts is at risk. -
@BRIAN_____@alexstamos@_mwc You can either stop issuance (~300 CAs) or stop trusting (~billions of devices). One is viable, the other isnt -
@BRIAN_____@alexstamos@_mwc And stopping trusting is... hard. OpenSSL can't do it safely w/o causing damage, for example. Nor OS X. -
@BRIAN_____@alexstamos@_mwc Nor Android. And Chrome can't cover it up short of rewriting all of that OS code into the browser, ala Mozilla -
@sleevi_@alexstamos@_mwc I have to admit I like Mozilla's approach here.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.