Yes exactly. That kind of UX distinction is essential to teaching non-security-expert users basic safety AND to building their faith that TLS/HTTPS/encryption actually does what it's claimed to do.
-
-
Replying to @RichFelker @mdhardeman and
Everyone thinks that, the problem is it's not possible. Why don't you just solve the halting problem Rich, that would make things much easier. Don't you care about users? Do the right thing, stop tweeting and get solving.
1 reply 0 retweets 3 likes -
Replying to @taviso @mdhardeman and
Here "not possible" is a matter of political will/marketplace influence by the browser vendors, not some underlying fundamental impossibility. Tweeting about it is a small step towards making the idea that they should do this mainstream.
1 reply 0 retweets 1 like -
Replying to @RichFelker @mdhardeman and
Write me a program that can safely assert something when the Administrator is malicious, it can be as simple as you like. Make it show the result of X509_verify() or something in a message box.
1 reply 0 retweets 1 like -
Replying to @taviso @mdhardeman and
That's impossible. But what is possible is asserting "either someone committing a crime is in control of this machine, or any certificate it accepts is sufficiently legitimate that your non-backdoored phone/laptop would also accept it".
1 reply 0 retweets 1 like -
Replying to @RichFelker @mdhardeman and
Serious question, If I told you yesterday that today you would be arguing for DRM and that Administrators don't have the right to modify software on their own computers, would you have believed me?
2 replies 0 retweets 1 like -
Replying to @taviso @mdhardeman and
No, because that's not what I'm arguing here. I don't think DRM is necessary or good. I think TM&© are. I don't think you lack a right to modify sw on your own computer. I do think you lack a right to put modified sw in front of a user who's unaware it's modified.
2 replies 0 retweets 2 likes -
Replying to @RichFelker @taviso and
I also don't think you have a right to present to a user a certificate for a domain/company/individual you're not actually authorized to represent. IOW I think all MITM certificates are acts of fraud, and should be prosecuted as such.
1 reply 0 retweets 0 likes -
-
Replying to @SwiftOnSecurity @taviso and
That doesn't make it any less fraudulent. You could sign a release saying you don't care if I forge other people's signatures on checks I give you, but it's still fraud for me to forge those people's signatures.
1 reply 0 retweets 0 likes
Rich... come on 
-
-
Replying to @taviso @RichFelker and
I concur. Would that real privacy could exist even at work, but that's not life and there are employers who only reluctantly deploy this stuff because they're legally required to. I'm not debating validity of corporate MITM. It's valid and needed.
1 reply 0 retweets 0 likes -
Replying to @mdhardeman @taviso and
Where I think there's room for improvement is that I don't believe there's any good reason for any of Chrome's product decisions to be based on not inconveniencing that segment.
1 reply 0 retweets 1 like - 16 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.