Obviously a MITM could replace the js even if it could, but it would make their lives much harder & foil the usual AV/ent crap.
-
-
Replying to @RichFelker @hanno
Anyway, seems like this a feature we should be lobbying browser vendors for.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @hanno
Lobby them to stop supporting interception via local certificate store for HPKP or at least add a way to opt-out.
2 replies 1 retweet 4 likes -
Replying to @CopperheadOS @RichFelker
in principal I support that, yet I see little chances of succeeding with it.
1 reply 0 retweets 0 likes -
however given latest events and the sheer scale of mitm fuckups: maybe things change.
1 reply 0 retweets 0 likes -
if the "adversary" has such control over the endpoint, is this not futile?
3 replies 0 retweets 0 likes -
Not every OS uses the desktop security model and getting the user to install a cert shouldn't break HPKP.
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS @Scott_Helme and
Desktop security model as in lack of a security model. Also see https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html ….
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS @Scott_Helme and
"[...] target API Level 24 and above no longer trust user or admin-added CAs for secure connections, [...]"
2 replies 0 retweets 0 likes -
what's the solution for enterprise environments here?
3 replies 0 retweets 0 likes
Well having their browsers always showing red "you're under surveillance" would be ok with me.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.