Is it possible for js running in the browser to query properties of the cert for the connection resources were retrieved over?
-
-
-
Replying to @hanno @RichFelker
if you're looking into mitm detection: there's really no easy route. you can look for hpkp fails, but has pitfalls, too.
2 replies 0 retweets 0 likes -
Replying to @hanno
Obviously a MITM could replace the js even if it could, but it would make their lives much harder & foil the usual AV/ent crap.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @hanno
Anyway, seems like this a feature we should be lobbying browser vendors for.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @hanno
Lobby them to stop supporting interception via local certificate store for HPKP or at least add a way to opt-out.
2 replies 1 retweet 4 likes -
Replying to @CopperheadOS @RichFelker
in principal I support that, yet I see little chances of succeeding with it.
1 reply 0 retweets 0 likes -
however given latest events and the sheer scale of mitm fuckups: maybe things change.
1 reply 0 retweets 0 likes -
if the "adversary" has such control over the endpoint, is this not futile?
3 replies 0 retweets 0 likes -
No, because you control the trademark on the browser.
1 reply 0 retweets 0 likes
You can make breaking the functionality & still calling it "Chrome" or "Firefox" a TM violation.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.