the more you trust the larger your threat model is
-
-
Replying to @cryptodavidw @jedisct1
Nah, just embrace Certificate Transparency and CAA :)
1 reply 0 retweets 0 likes -
Replying to @ivanristic @jedisct1
how many clients implement these though?
1 reply 0 retweets 0 likes -
Replying to @cryptodavidw @jedisct1
If Chrome does it in May, it will be a good start. But I was referring to monitoring, not enforcement, for example https://www.hardenize.com/blog/certificate-transparency-monitoring …
1 reply 0 retweets 0 likes -
Replying to @ivanristic @jedisct1
IIUC you can't detect the MITM attack if the client doesn't have CT and doesn't report the new certificate. I'm not sure if mobile apps (which use the web PKI a lot for some reason) will ever implement CT.
1 reply 0 retweets 0 likes -
Replying to @cryptodavidw @ivanristic
or anything that is not a web browser.
1 reply 0 retweets 0 likes -
Replying to @jedisct1 @cryptodavidw
I am not saying they will, but why do you think other clients won’t implement CT enforcement? (Just curious to hear the argument.)
1 reply 0 retweets 0 likes -
Replying to @ivanristic @jedisct1
Probably because there hasn't been a lot of interest outside of the browsers? But then the web PKI shouldn't be used outsides of browsers anyway.
2 replies 0 retweets 0 likes -
-
Yes.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.