Not every OS uses the desktop security model and getting the user to install a cert shouldn't break HPKP.
-
-
Replying to @CopperheadOS @Scott_Helme and
Desktop security model as in lack of a security model. Also see https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html ….
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS @Scott_Helme and
"[...] target API Level 24 and above no longer trust user or admin-added CAs for secure connections, [...]"
2 replies 0 retweets 0 likes -
what's the solution for enterprise environments here?
3 replies 0 retweets 0 likes -
there's an implicit assumption that "enterprise" needs this. I challenge that.
2 replies 0 retweets 1 like -
Replying to @hanno @Scott_Helme and
Issue is always exfil. They'll just API the remote instead: https://www.paloaltonetworks.com/products/secure-the-cloud/aperture …
2 replies 0 retweets 0 likes -
Replying to @TychoTithonus @Scott_Helme and
maybe we need more "I can exfil despite your mitm"-pocs then...
1 reply 1 retweet 1 like -
Replying to @hanno @TychoTithonus and
not hard to do: some javascriptobfuscation should suffice
1 reply 0 retweets 0 likes -
Replying to @hanno @Scott_Helme and
Fair. NGFW must reject unparseable app-level data. Arms race - but at least some mitigation
1 reply 0 retweets 0 likes -
Replying to @TychoTithonus @Scott_Helme and
that doesn't work either. you can leak via parseable app data
1 reply 0 retweets 1 like
All data is unparseable if you don't know the rules of the parser that'll be parsing it.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.