Could a server deliver single-use TLS certificates (signed by a sub-CA) in order to fingerprint clients? What would prevent this?
-
-
I know SSH uses a TOFU model where the first cert presented is cached. But a single-item cache per domain where you can't ask the client what's in the cache makes it hard to fingerprint. Unless you can chain a bunch of domain redirects and check each domain cert cache status...?
-
How many certificate TOFU type protocols allows you to send off the client through a chain of domain redirects in order to connect? How many can point to external resources?
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.