two HTTPS connections to the same server can get different certs
-
-
Replying to @tehjh
however not sure how practical this is with keep-alive and http2. can mitm force different connections for different requests?
1 reply 1 retweet 0 likes -
Replying to @hanno
well, another way to do this is to let the browser cache an evil script ahead of time. Caching isn't bound to cert/network/...
1 reply 1 retweet 0 likes -
(and yes, that also means any open wifi you use can inject scripts that run when you access your router webui in your home network)
2 replies 2 retweets 1 like -
/cc
@mikewest this seems like the kind of problem you'd be working on?3 replies 0 retweets 0 likes -
a crappy mitigation would be to block all persistence for local origins. But if windows stay open during network change...
1 reply 0 retweets 0 likes -
yeah, thought about that, too. Or all routers have to implement subressource integrity
1 reply 0 retweets 0 likes -
are you sure HTML docs aren't cacheable?
1 reply 0 retweets 0 likes -
you're right of course...
1 reply 0 retweets 0 likes -
well, there is a fix. Let *.some.domain point to router IP, one hostname per router, each router gets its own HTTPS cert
2 replies 0 retweets 0 likes
but I don't think anything like that will be rolled out anytime soon
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.