@CodingExon @__apf__ Although that would take an extra 12-16 weeks to roll out to stable. But it's the right thing to do.
-
-
Replying to @sleevi_
@sleevi_ Nice! FYI, we're reverting the sha1 deprecation for the moment (https://bugzilla.mozilla.org/show_bug.cgi?id=1236975 … ) so we can see how bad the MITM problem is2 replies 7 retweets 3 likes -
Replying to @CodingExon
@CodingExon The first mover problem strikes again! Note that our first phase of SHA-1 deprecation (up until the 2017 cliff) is only for PTCs2 replies 2 retweets 0 likes -
Replying to @sleevi_
@CodingExon That is, MITM software is exempted. Pros and cons of that, but certainly helps users. Could consider it... //@BRIAN_____1 reply 1 retweet 0 likes -
Replying to @sleevi_
@sleevi_@CodingExon I was wondering about that when I read the code last week.1 reply 0 retweets 0 likes -
Replying to @BRIAN_____
@BRIAN_____@CodingExon Same basic philosophy as HPKP bypass, with serious pain learned from MD5 deprecation. Not ideal, but seems necessary2 replies 0 retweets 1 like -
Replying to @sleevi_
@sleevi_@CodingExon OTOH, that would mean that if you trust any non-built-in cert, you have nearly zero protection from collision attacks.2 replies 0 retweets 0 likes -
Replying to @BRIAN_____
@sleevi_@CodingExon I'm probably overstating that for the general case. But, it's probably true for many "I'll sign anything" MitM proxies.2 replies 0 retweets 0 likes -
Replying to @BRIAN_____
@BRIAN_____@CodingExon@ttaubert@rlbarnes I'm increasingly getting convinced that trying to stop dumb (AV/intercept) is pointless :(2 replies 1 retweet 3 likes -
Replying to @sleevi_
@sleevi_@CodingExon@ttaubert Personally, I think Firefox should just not even bother w/ workarounds. Give expensive users to Chrome & IE.3 replies 0 retweets 2 likes
@sleevi_ @CodingExon @ttaubert That's basically what we did with client certificates.
-
-
Replying to @BRIAN_____
@BRIAN_____@sleevi_@CodingExon@ttaubert You are talking about insecure renegotiation, right?1 reply 0 retweets 0 likes -
Replying to @yuhong2
@yuhong2@sleevi_@CodingExon@ttaubert No, just the fact that nobody ever touches the client cert code in Gecko.0 replies 0 retweets 0 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.