@BRIAN_____ @alexstamos @_mwc And stopping trusting is... hard. OpenSSL can't do it safely w/o causing damage, for example. Nor OS X.
-
-
Replying to @sleevi_
@BRIAN_____@alexstamos@_mwc Nor Android. And Chrome can't cover it up short of rewriting all of that OS code into the browser, ala Mozilla2 replies 0 retweets 1 like -
Replying to @sleevi_
@alexstamos@_mwc The reason for all of this being, again, cross-certs and PKI path building.1 reply 0 retweets 2 likes -
Replying to @sleevi_
@alexstamos@_mwc@BRIAN_____ is one of the few ppl in the world who can and has done it right. Even we haven't (...yet). And it takes time1 reply 0 retweets 1 like -
Replying to @sleevi_
@alexstamos@_mwc@BRIAN_____ For example, we can't safely turn off SHA-1 for App Engine hosted apps. That's the world we live in :/1 reply 0 retweets 1 like -
Replying to @sleevi_
@alexstamos@_mwc@BRIAN_____ No PHP, Python, Perl, or Ruby app can safely turn it off SHA-1 and still talk to the Internet at large.1 reply 0 retweets 3 likes -
Replying to @sleevi_
@alexstamos@_mwc@BRIAN_____ Hopefully that explains more context as to why I'm so vociferously virulent in my opposition :)1 reply 0 retweets 2 likes -
Replying to @sleevi_
@sleevi_@alexstamos@_mwc@BRIAN_____ Server side cert switching also provides a path to support older clients, and still deprecate SHA1.1 reply 0 retweets 1 like -
Replying to @jvehent
@jvehent@alexstamos@_mwc@BRIAN_____ Only really a path for Mozilla, speaking solely of how (new/modern) clients are implemented.2 replies 0 retweets 1 like -
Replying to @sleevi_
@sleevi_@alexstamos@_mwc@BRIAN_____ Why is cert switching not a viable path for {facebook,twitter,google}.com? Modern clients get sha256.2 replies 0 retweets 1 like
@jvehent @sleevi_ @alexstamos @_mwc Firefox is the only browser that can disable SHA-1-signed certs in a meaningful and web-compatible way.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.