If we could prevent endpoint mitm, you know I would be all for this, but aren't we just forcing them to be more sketchy?
-
-
Replying to @taviso @SwiftOnSecurity and
It's true for regulated industries, but maybe it's time for that split. Token Binding allows for U2F tokens to be part of handshake and kills off MITM for 2FA auth, even with a good cert... But... Some industries have regulatory requirements to capture user generated content.
2 replies 0 retweets 0 likes -
Replying to @mdhardeman @SwiftOnSecurity and
I think you're saying that it will break TLS MITM middleware boxes (like bluecoat). True, but for those to work you already need Administrator access to endpoint (to install CA). If you have Admin, you can just hook and patch browser instead, which is worse!
2 replies 0 retweets 3 likes -
Replying to @taviso @mdhardeman and
So I'm saying, it doesn't make TLS MITM untenable, it forces the vendors hand to do dangerous things. Do you want more security vendors patching around in chrome.exe? If we could prevent Administrators from MitMing endpoints, you better believe I would be hassling chrome devs
3 replies 0 retweets 2 likes -
Replying to @taviso @SwiftOnSecurity and
The usual tricks of the sort could be used on (normal retail Chrome to make patching untenable and force those who really need MITM to weigh & absorb the costs of running a Bluecoat maintained Chromium. Reinforces difference for end-user.
2 replies 0 retweets 0 likes -
Replying to @mdhardeman @SwiftOnSecurity and
There are no "usual tricks" that make patching untenable to Administrators, if there were, we would do that. This is one of those "immutable laws of computer security".
1 reply 0 retweets 1 like -
Replying to @taviso @SwiftOnSecurity and
That's not entirely true. It's draconian, but all sorts of DRM techniques exist for this stuff. It doesn't have to be perfect. It just has to make it painful enough and change often enough that Bluecoat, etc. can't keep up. See PC gaming...
1 reply 0 retweets 1 like -
Replying to @taviso @SwiftOnSecurity and
Of course they will, but forcing that extra cost will help constrain it to places it is truly a business requirement. In addition, making it apparent that it's MITM'ed will help enhance user awareness.
1 reply 0 retweets 1 like
Obviously we all want a reliable indicator, there isn't one because it cannot exist. When you start advocating for DRM, you're probably not on the right side of the debate. Do you want me to ask chrome team to start shipping new builds with Themida? 
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.