@sleevi_ Have you Chrome folks run into anything like https://bugzilla.mozilla.org/show_bug.cgi?id=1236664 … during your leadup to rejecting SHA1 certs issued in 2016?
@sleevi_ @CodingExon I was wondering about that when I read the code last week.
-
-
@BRIAN_____@CodingExon Same basic philosophy as HPKP bypass, with serious pain learned from MD5 deprecation. Not ideal, but seems necessary -
@sleevi_@CodingExon OTOH, that would mean that if you trust any non-built-in cert, you have nearly zero protection from collision attacks. -
@sleevi_@CodingExon I'm probably overstating that for the general case. But, it's probably true for many "I'll sign anything" MitM proxies. -
@BRIAN_____@CodingExon@ttaubert@rlbarnes I'm increasingly getting convinced that trying to stop dumb (AV/intercept) is pointless :( -
@sleevi_@CodingExon@ttaubert Personally, I think Firefox should just not even bother w/ workarounds. Give expensive users to Chrome & IE. -
@BRIAN_____@sleevi_@ttaubert Interesting point (CC@rlbarnes). We should see how many users we're talking about, but I probably agree.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.