Lobby them to stop supporting interception via local certificate store for HPKP or at least add a way to opt-out.
-
-
Replying to @CopperheadOS @RichFelker
in principal I support that, yet I see little chances of succeeding with it.
1 reply 0 retweets 0 likes -
however given latest events and the sheer scale of mitm fuckups: maybe things change.
1 reply 0 retweets 0 likes -
if the "adversary" has such control over the endpoint, is this not futile?
3 replies 0 retweets 0 likes -
Not every OS uses the desktop security model and getting the user to install a cert shouldn't break HPKP.
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS @Scott_Helme and
Desktop security model as in lack of a security model. Also see https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html ….
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS @Scott_Helme and
"[...] target API Level 24 and above no longer trust user or admin-added CAs for secure connections, [...]"
2 replies 0 retweets 0 likes -
what's the solution for enterprise environments here?
3 replies 0 retweets 0 likes -
Not making their company less secure by intercepting TLS to try enumerating badness while breaking security.
2 replies 0 retweets 1 like -
Replying to @CopperheadOS @Scott_Helme and
Wouldn't that mean internal sites secured by the enterprise CA would show as untrusted though?
1 reply 0 retweets 0 likes
Not if the enterprise CA is just for a domain the enterprise owns rather than for *.
-
-
Replying to @RichFelker @CopperheadOS and
Good point, but if the browser distrusts all added CA then it doesn't matter what they're for.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.