Same as AV that does this. I don't want to trust their with MITM capability. Again, why not just create a per-machine self-signed cert with subjectAlternativeName that matches http://localbattle.net and set that as trusted in normal cert store?
-
-
I guess I'm confused, you already trust them by running setup.exe. I understand if there was additional attack surface (that would be the AV complaint), but what attack surface does adding a locally generated CA add?
1 reply 0 retweets 1 like -
Why does a hotel mind if you make a duplicate copy of the room keys? They trust you with the room already.
2 replies 0 retweets 0 likes -
I suppose they mind because they don't want you to have access after you've checked out. Are you saying they might maliciously upload the key, then use it as a backdoor later? If they're malicious, there are so many better ways once you've given them Admin, no?
1 reply 0 retweets 3 likes -
It adds a (literal) key trust/management problem to the easier 'clean the room after checkout' problem.
2 replies 0 retweets 1 like -
I don't see how, describe the attack to me? We're on the same page here that this is a trusted process generating a per-machine certificate, right? If you have an attack against this that doesn't require Administrator, that would be huge - this is really common.
1 reply 0 retweets 4 likes -
No, just looking at this as an opportunity to lessen privilege.
1 reply 0 retweets 0 likes -
This Tweet is unavailable.
-
It's not necessary, but as any attack against it would require Administrator, at which point the attacker just add their own CA certificate, or just nop out all certificate verification...what does it matter? Maybe it would be cleaner, but there's no security issue here.
3 replies 0 retweets 2 likes -
Am I correct in understanding that the problem being solved here is HTTPS communication with localhost? Because if so, who is the would-be attacker?
1 reply 0 retweets 0 likes
They want to avoid mixed-content warnings in browsers. There is no network attacker in the current implementation.
-
-
Okay, that makes sense.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.