@alexstamos @fugueish @newshtwit Real risk is from a forged SHA-1 cert. If attacker has one they'll use it to MitM and bypass cert switching
@alexstamos @fugueish @newshtwit What's the security value of preventing downgrade to a valid SHA-1 cert? The connection is no less secure.
-
-
-
@alexstamos@fugueish@newshtwit Which is why CAs need to STOP issuing SHA-1 certs, so it becomes impossible to create forgeries. -
@alexstamos@fugueish@newshtwit And is why Symantec was rebuffed whey they asked for essentially the same thing you are asking for now.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.