So we could lobby browser to reject certs with these visibility attributes but it could always be done without signaling. I don’t think there’s any way to prevent an endpoint from exposing everything.
-
-
There never was. Never could have been. The IETF had the option of making this an extension where at least both sides would have had to opt into it via a TLS extension. That seemed like a pretty sweet deal to me.
1 reply 0 retweets 0 likes -
I guess, but that wouldn’t preclude doing exactly this. It just provides another mechanism.
1 reply 0 retweets 0 likes -
Given that this was always going to happen, the whole point was to encourage the industry to do it in the safest way possible, with strong oversight by the IETF. There wouldn’t be any support behind an alternative like this one if the IETF has done that.
1 reply 0 retweets 3 likes -
This Tweet is unavailable.
-
1 reply 1 retweet 1 like -
Replying to @kennwhite @4Dgifts and
Ah yes, each time an HTTPS site is visited, click through to a screen where a user looks at a field ("Issued by") that is completely arbitrary and attacker-controlled. Got it. :) Perhaps you were being sarcastic, though, in which case I'll show myself to the door...
2 replies 0 retweets 0 likes -
Replying to @wdormann
an obligatory blast from the past (I mean who doesn't love the name "superfish"). But no, not suggesting reading dialog boxes en masse. If someone were sufficiently motivated, suppose I could envision a Chrome ext warning when connecting to a site signed by a non-built in root.
1 reply 0 retweets 1 like -
Replying to @kennwhite
Chrome leverages the OS-level root CA store. What distinguishes a built-in root vs. a user-installed root? And in Windows, the trusted root CA list grows with use of the system as well. For example, a clean Win10 install has a smaller list of trusted root CAs. vs one that's used
2 replies 0 retweets 1 like -
Replying to @wdormann
ah, right. I get FF & Chrome policies reversed. Ftr, I'm not at all suggesting this is a good idea, but /if/ someone were to do this, maybe a web service periodically updated with published OS cert lists could seed it? But really, just, no.
1 reply 0 retweets 0 likes
There was some work put into frameworks where browsers would compare certificates presented to you by websites vs. what other folks were seeing (and compared via fingerprints, as opposed to forgeable human-readable names). https://en.wikipedia.org/wiki/Convergence_(SSL) … Sadly, they've been abandoned.
-
-
Replying to @wdormann @kennwhite
Why not embed the allowable CAs into the DNS records so your browser can hit up the CA's server and check if the certificate is signed by the CA?
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.