I had a realization about EV certs recently: They don't make any sense if you have any third party content. Do people agree with that?
-
-
Replying to @hanno
if you think third-party scripts matter here, why not same-origin non-EV scripts?
2 replies 1 retweet 0 likes -
Replying to @tehjh
not sure I follow. don't all same-origin scripts have the same cert?
1 reply 1 retweet 0 likes -
Replying to @hanno
two HTTPS connections to the same server can get different certs
3 replies 1 retweet 0 likes -
Replying to @tehjh
however not sure how practical this is with keep-alive and http2. can mitm force different connections for different requests?
1 reply 1 retweet 0 likes -
Replying to @hanno
well, another way to do this is to let the browser cache an evil script ahead of time. Caching isn't bound to cert/network/...
1 reply 1 retweet 0 likes -
(and yes, that also means any open wifi you use can inject scripts that run when you access your router webui in your home network)
2 replies 2 retweets 1 like -
-
have you POC'ed that / written that up anywhere?
1 reply 0 retweets 1 like
only mentioned it in the "Cache Poisoning" section of https://thejh.net/written-stuff/want-to-use-my-wifi …, which mostly just mentions web security basics
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.