Is it possible for js running in the browser to query properties of the cert for the connection resources were retrieved over?
-
-
-
Replying to @hanno @RichFelker
if you're looking into mitm detection: there's really no easy route. you can look for hpkp fails, but has pitfalls, too.
2 replies 0 retweets 0 likes -
Replying to @hanno
Obviously a MITM could replace the js even if it could, but it would make their lives much harder & foil the usual AV/ent crap.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @hanno
Anyway, seems like this a feature we should be lobbying browser vendors for.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @hanno
Lobby them to stop supporting interception via local certificate store for HPKP or at least add a way to opt-out.
2 replies 1 retweet 4 likes
Replying to @CopperheadOS @hanno
Rich Felker Retweeted CopperheadOS
Rich Felker added,
8:21 AM - 28 Feb 2017
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.