First good argument I see about why the GitHub acquisition is bad.https://twitter.com/ErrataRob/status/1003396869052141568 …
-
-
It’s certainly possible to intercept SSL traffic if you’re controlling the middle layer. Many companies do it, some countries as well. I don’t see how China cannot.
-
No, it isn't. That's the whole *point* of TLS. To intercept it you need to control *an endpoint*. Companies control the local endpoint. China tries, but cannot control all endpoints (people's devices).
-
MITM was made possible after adding SNI extension to TLS (OpenSSL) for cert handling to accommodate for companies like CloudFlare. This is just one of many HTTPS flaws.
-
You have no idea what you're talking about. MITM is never possible without a compromised endpoint.
-
Perhaps you're confusing that, to use a service like Cloudflare, you (the server endpoint) are voluntarily appointing Cloudflare as a MITM. Then in some sense you compromised your own endpoint. This only affects your site, not anyone else's.
-
My point is that the if the website admin is using CloudFlare (or being forced to use similar service in an oppressive country) and accepted them as a MITM, the user browsing the web will have no warning there is a MITM in the browser.
-
They had to authorize the certificate to be issued to Cloudflare or a similar service, or had to have provided a private key for a certificate already issued. If not, the CA that issued the cert is in violation of CA policy and can/should be removed from trusted CA set.
-
Especially now with CT logs, wrongfully issued certs WILL be caught, and someone will be held accountable.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.