Greg Slepak

@nixcraft If you can install a local CA you can install a modified Chrome without any warnings. Chrome can't protect against it.

This post explains why that's a nonsense argument: http://blog.okturtles.com/2015/11/dells-tumble-googles-fumble-and-how-government-sabotage-of-internet-security-works/ …

Incidentally you can also run rm -rf on your machine and hit it with a hammer.

Not OK to tell users they're on a secure connection when it's being MITM'd.

Also doesn't tell you anything about WebRTC DTLS SRTP. No chromed (non-spoofable) way to check fingerprt

Referring to this?https://twitter.com/taoeffect/status/743128789111078913 …

No, I mean to verify end-to-end encryptn of (non-http) transport tied to an element eg call/video stream.

Compare eg to RedPhone/Signal where there's a SAS. You can't E2E with Chrome, b/c trust is tied to site.

"PUBLIC KEY PINNING BYPASSED BY LOCAL ROOT CERTIFICATE" wtf G doesn't employ retards; I conclude malice. @taoeffecthttps://twitter.com/taoeffect/status/750200660272885764 …

.@CTZN5 And a (modified) version of that wording could be fine—if anyone could actually see it.

another colour even, to specifically indicate "secure according to a local cert"

What happened to the red x / crossed out HTTPS? *That* should be happening on a MitM connection.

.@tehCh0nG @taoeffect @ChromiumDev yeah. Seems Google thinks devs can't deploy HPKP correctly. Then why support it at all? cc @sleevi_

Whether they can or can't, that's got nothing to do with lying to users about the security of the conn.