@RichFelker @konklone that cannot happen it's needed for SSL MitM for enterprises
-
-
-
@SwiftOnSecurity@konklone Enterprise just needs to give this up and find a different solution. MITM is always unacceptable. -
@SwiftOnSecurity@konklone For "asset control" it's useless anyway; rogue employees can just use an alternate channel to move data out. -
@SwiftOnSecurity@konklone For AV type use, it belongs on the endpoints, not the network.
End of conversation
New conversation -
-
-
@RichFelker won't happen. Useful for debugging. If Khaz can force root CA, they'll force patched chrome/OS w/ KhazCA. So Khaz're still vuln. -
@tehile Getting ppl to install a modified browser with official branding removed is a lot harder, won't work on iOS, etc. -
@RichFelker Right, OS distibutors should fully lock their OS so that rogue states could not force users to install rogue browsers. -
@ch3root Proprietary OS's/ecosystems should keep 3rd-party malware out of the core system. Of course they should be replaced by FOSS ones. -
@RichFelker What you are proposing -- app protection from a user with full hw access -- is a move in the opposite direction: DRM, locked OSs -
@ch3root You're misinterpreting what I'm proposing, but Twitter and 140 characters... not a good medium for this. -
@RichFelker Ok. Should I as a user be able to inspect what Chrome sends to Google? If not via mitm, how? -
@ch3root Via the js console or editing the source. Or manually allowing individual invalid certs. But not a root CA. - 1 more reply
New conversation -
-
-
@RichFelker what about internal CAs ? -
@frioux They should not be root CAs but just for a domain that the owner controls. -
@RichFelker is there even a cert store for that? How do I tell chrome "all certs under *.mylan.com must be signed by this cert" -
@frioux There is a "name constraint" field in certs that can supposedly be used for his but I don't have experience with using it.
End of conversation
New conversation -
-
-
@RichFelker the most amazing piece is that the site where one must download the cert is not even httpsThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.