@agl__ how about CAs that are scoped to that TLD? :o
-
-
Replying to @randomoracle
@randomoracle@agl__ X.509 name constraints don’t seem to work very well, e.g.: https://lists.eff.org/pipermail/observatory/2011-April/000173.html …1 reply 0 retweets 0 likes -
Replying to @bascule
@bascule@randomoracle@agl__ NC doesn't address the point though - new.domain can script http://evil.com and get owned //@fugueish2 replies 0 retweets 0 likes -
Replying to @sleevi_
@sleevi_@randomoracle@agl__@fugueish subresource integrity would also help a lot here1 reply 0 retweets 0 likes -
Replying to @bascule
@bascule@randomoracle@agl__@fugueish Or just hosting the damn script on your domain if you care about security ;)2 replies 0 retweets 0 likes -
Replying to @randomoracle
@randomoracle@sleevi_@agl__@fugueish subresource integrity ensures that 3rd-party 0wnage is, at worst, a DoS attack1 reply 0 retweets 0 likes -
Replying to @bascule
@bascule@randomoracle@agl__@fugueish Only for the X% of users with hypothetical SRI. Different threat model to solve than CSP.2 replies 0 retweets 0 likes
@sleevi_ @randomoracle @agl__ @fugueish yeah, SRI is more like a wishlist item. In the meantime CSP is pretty cool
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.