W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Mark Nottingham <mnot@mnot.net>
Date: Sat, 5 Dec 2015 11:41:22 +1100
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Mike Belshe <mike@belshe.com>, Amos Jeffries <squid3@treenet.co.nz>, httpbis mailing list <ietf-http-wg@w3.org>
Message-Id: <5CE624A2-C088-4B6E-95CB-F5C82EC48225@mnot.net>
To: Jacob Appelbaum <jacob@appelbaum.net>

> On 5 Dec 2015, at 2:08 am, Jacob Appelbaum <jacob@appelbaum.net> wrote:
> 
>> But SSL/TLS is just about the worst encryption you can bring to
>> that fight, because it is *so* trivial and routine to MiTM that you
>> can find the list-price for the necessary equipment on Google.
> 
> This is where we diverge, I suspect. None of that equipment is going
> to work against PayPal or Google or even Tor Project's website when a
> user uses a modern browser as those sites are TLS with cert pinning.

Last I checked, browsers don't enforce pins when a MiTM CA is installed locally, and they don't intend to in the foreseeable future.

Cheers,

--
Mark Nottingham   https://www.mnot.net/
Received on Saturday, 5 December 2015 00:41:54 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC