Not sure I follow the DoH connection, but this almost certainly means they're shipping the private key in the app, which means the CA is required to revoke the certificate. As soon as someone reports it, their app should start failing, so they're about to have a bad day.
-
-
Yeah, I figured the correct approach to make this never necessary is if browsers all assume localhost is a secure origin, but hadn't checked to see if that was the case. Definitely vulnerable.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.