To anyone considering MITM certs, even for AV, etc.: By doing this, you are completely disabling the browser's ability to detect forgery.
-
-
Replying to @RichFelker
@RichFelker To play devil's advocate, what's stopping MITM box from doing forgery checking, cert pinning, or anything else browser w/ do?1 reply 0 retweets 0 likes -
Replying to @matolucina
@matolucina Even if they were competent and willing to, there's no way to present results to use user & keep up with latest browser behavior2 replies 0 retweets 0 likes -
Replying to @RichFelker
@RichFelker The MITM proxy could inject UI into existing webpages and auto-update itself to follow best practice. Hard? Yes. But possible.1 reply 0 retweets 0 likes -
Replying to @matolucina
Rich Felker Retweeted Martin Lucina
@matolucina That's utterly awful and a huge new attack surface. WHY do people think ideas like this are respectable?https://twitter.com/matolucina/status/669537987634585601 …Rich Felker added,
1 reply 0 retweets 0 likes -
Replying to @RichFelker
@RichFelker Ah, but what if you (the user) own and thus trust the *proxy*, but don't own/trust/fully control the *browser*?1 reply 0 retweets 0 likes -
Replying to @matolucina
@matolucina Yes this happens with appliances with emb. browsers (think Chromecast) but fixing them isn't worth killing the whole trust model1 reply 0 retweets 0 likes -
Replying to @RichFelker
@matolucina Ultimately the endpoint (browser box) has full control over what it trusts/does, and can circumvent anything short of mod'ing it1 reply 0 retweets 0 likes
@matolucina The fix for malicious embedded endpoints it not to MITM them (they can stop this) but to mod or replace them with open hw/FOSS.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.