I think you're saying that it will break TLS MITM middleware boxes (like bluecoat). True, but for those to work you already need Administrator access to endpoint (to install CA). If you have Admin, you can just hook and patch browser instead, which is worse!
-
-
Replying to @taviso @mdhardeman and
So I'm saying, it doesn't make TLS MITM untenable, it forces the vendors hand to do dangerous things. Do you want more security vendors patching around in chrome.exe? If we could prevent Administrators from MitMing endpoints, you better believe I would be hassling chrome devs
3 replies 0 retweets 2 likes -
Replying to @taviso @SwiftOnSecurity and
The usual tricks of the sort could be used on (normal retail Chrome to make patching untenable and force those who really need MITM to weigh & absorb the costs of running a Bluecoat maintained Chromium. Reinforces difference for end-user.
2 replies 0 retweets 0 likes -
Replying to @mdhardeman @SwiftOnSecurity and
There are no "usual tricks" that make patching untenable to Administrators, if there were, we would do that. This is one of those "immutable laws of computer security".
1 reply 0 retweets 1 like -
Replying to @taviso @SwiftOnSecurity and
That's not entirely true. It's draconian, but all sorts of DRM techniques exist for this stuff. It doesn't have to be perfect. It just has to make it painful enough and change often enough that Bluecoat, etc. can't keep up. See PC gaming...
1 reply 0 retweets 1 like -
Replying to @taviso @SwiftOnSecurity and
I think the difference is in controlling the brand and by doing so allowing the end-user to discern a visible difference. "This is real Chrome and when I'm in this, it's not cooperating with the boss spying." "This is the work browser that I have to use so that they see."
1 reply 0 retweets 1 like -
Replying to @mdhardeman @taviso and
Yes exactly. That kind of UX distinction is essential to teaching non-security-expert users basic safety AND to building their faith that TLS/HTTPS/encryption actually does what it's claimed to do.
2 replies 0 retweets 2 likes -
Replying to @RichFelker @mdhardeman and
Right now we have a public perception crisis where half the time users rightly think https doesn't protect them because it might be MITM'd, and the other half of the time they think they're safe logging in to their personal gmail at work.
1 reply 0 retweets 1 like
You're thinking about this at the wrong level. I'm giving up on this thread, they're called the "immutable" laws of computer security for a reason.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.