no.
-
-
Replying to @hanno @RichFelker
if you're looking into mitm detection: there's really no easy route. you can look for hpkp fails, but has pitfalls, too.
2 replies 0 retweets 0 likes -
Replying to @hanno
Obviously a MITM could replace the js even if it could, but it would make their lives much harder & foil the usual AV/ent crap.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @hanno
Anyway, seems like this a feature we should be lobbying browser vendors for.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @hanno
Lobby them to stop supporting interception via local certificate store for HPKP or at least add a way to opt-out.
2 replies 1 retweet 4 likes -
Replying to @CopperheadOS @RichFelker
in principal I support that, yet I see little chances of succeeding with it.
1 reply 0 retweets 0 likes -
however given latest events and the sheer scale of mitm fuckups: maybe things change.
1 reply 0 retweets 0 likes -
if the "adversary" has such control over the endpoint, is this not futile?
3 replies 0 retweets 0 likes -
that's the usual counterargument https://noncombatant.org/2015/11/24/what-is-hpkp-for/ …
1 reply 0 retweets 2 likes -
Replying to @hanno @Scott_Helme and
I'd still see value in making a clear statement from browsers that this is unsupported behavior.
1 reply 0 retweets 1 like
You can make more than a statement; you can make it illegal and something browser vendor can sue for.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.