@whispersystems Hey, you ARE pinning the flock TLS cert right? Also you should fix the rest of this stuff https://www.ssllabs.com/ssltest/analyze.html?d=flock-sync.whispersystems.org&s=54.244.91.66&latest …
@sindarina The server is its own authority. Makes no difference what the sig hash is or how long the expiration is. @kyhwana
-
-
@whispersystems@sindarina how does it not matter if someone can generate a self signed cert with the same SHA1? How are you pinning? -
@kyhwana Read this, see "Option 1:" http://thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/ … There are no CA certs, there's nothing to pin.@sindarina -
@whispersystems@sindarina see? That's all you had to say right at the start. *link* "we do option A" -
@kyhwana@sindarina It's also on the first page of search results for "certificate pinning."
End of conversation
New conversation -
-
-
@whispersystems I beg to differ; there is no reason to use a SHA1 certificate nowadays, use SHA2. If only for perception.@kyhwana -
@sindarina You want us to spend time on something w/ no sec value so ppl who run ssllabs and don't understand it wont bother us on twitter? -
@whispersystems Perception is not to be underestimated in a security product, regardless of the actual value experts assign to it. -
@whispersystems Security experts with a deep understanding of the various technologies aren't the only users of your product, after all. -
@whispersystems And frankly, dismissing a raised concern so quickly is a bit of a dickish move. Not really inspiring confidence, that. -
@sindarina In response to telling us we're unqualified to run our own infrastructure based on info you've parroted without thinking through. -
@whispersystems What other conclusions are there for why are SSLv3 and RC4 on, then? Your supported platforms don't need it, so why bother?
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.