That's impossible. But what is possible is asserting "either someone committing a crime is in control of this machine, or any certificate it accepts is sufficiently legitimate that your non-backdoored phone/laptop would also accept it".
Do you think you can safely inject a DLL and hook chrome? I don't think you can, it's really hard. I think you probably can set up a corporate CA. I don't think you should, but if I have to pick one - I pick the latter.
-
-
Concur. But where I think this hypothetical hook comes into play is when Bluecoat customers can't log in using a WebAuthn token because of the MITM + a token binding requirement for the auth from the server side.
-
My belief is that this shouldn't discourage token binding or similar anti MITM techniques which offer realistic security benefit just because they may make the MITM vendors desperate. Just ensure that forking their own browser is easier for them than patching yours.
- 12 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
