Same as AV that does this. I don't want to trust their with MITM capability. Again, why not just create a per-machine self-signed cert with subjectAlternativeName that matches http://localbattle.net and set that as trusted in normal cert store?
-
-
I guess I'm confused, you already trust them by running setup.exe. I understand if there was additional attack surface (that would be the AV complaint), but what attack surface does adding a locally generated CA add?
1 reply 0 retweets 1 like -
Why does a hotel mind if you make a duplicate copy of the room keys? They trust you with the room already.
2 replies 0 retweets 0 likes -
I suppose they mind because they don't want you to have access after you've checked out. Are you saying they might maliciously upload the key, then use it as a backdoor later? If they're malicious, there are so many better ways once you've given them Admin, no?
1 reply 0 retweets 3 likes -
It adds a (literal) key trust/management problem to the easier 'clean the room after checkout' problem.
2 replies 0 retweets 1 like -
I’ve seen lots of people thinking that public key encryption solves a problem that it doesn’t. They end up storing/exposing a private key kinda near where the public key is used.
1 reply 0 retweets 1 like -
Replying to @jpgoldberg @marshray and
So the attack is a well-meaning but incompetent administrator clicks through all the warnings to export private keys, then gives it to an attacker? How do you deal with this attack, an incompetent user clicking through warnings and sharing passwords with an attacker?
1 reply 0 retweets 0 likes -
I was talking about developer embedding private keys in binaries or local configuration files. You’d be surprised at how many times vet the years people suggested that we just give 1Password’s localhost web socket a server certificate.
2 replies 0 retweets 1 like -
Replying to @jpgoldberg @marshray and
Hmm, but that is the problem Blizzard are trying to solve. They generate a per-machine certificate, so do not have to embed a static private key. That is the correct solution, no?
2 replies 0 retweets 0 likes -
Where is the private key for that certificate supposedly held? I thought it was local to the client (which was the error I was talking about).
1 reply 0 retweets 0 likes
Yes, it's local to the client and only applicable to the machine it's hosted on (it can't be used to attack other machines). If you're compromised an attacker could steal it, but why would they?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.