2. I think people have a limited willingness to do thing to make themselves more secure. By making them do one thing that barely makes a difference, they may not do the things that really do make a difference. Like using 2FA.
Your threat model is very confused, a physically nearby attacker willing to break the law who can only MITM one protocol (TLS) but not another (IPSEC, whatever). So you send all your bits to shady middleman instead?
-
-
I'd base my threat model based on what is off-the-shelf available. The number of attackers capable of buying a COTS tool (wifi pineapple) is orders of magnitude larger than folks who can write or even compile custom software.
-
First of all, there is no COTS TLS interception. You know that, you've already imagined a user who goes through all the trouble of disabling it. Rather than tell users "don't do that", you want them to install a shady VPN service and add another point of failure.
- 2 more replies
New conversation -
-
-
This doesn't make sense, just use TLS.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.