- From: Mark Nottingham <mnot@mnot.net>
- Date: Sat, 5 Dec 2015 11:41:22 +1100
- To: Jacob Appelbaum <jacob@appelbaum.net>
- Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Mike Belshe <mike@belshe.com>, Amos Jeffries <squid3@treenet.co.nz>, httpbis mailing list <ietf-http-wg@w3.org>
> On 5 Dec 2015, at 2:08 am, Jacob Appelbaum <jacob@appelbaum.net> wrote: > >> But SSL/TLS is just about the worst encryption you can bring to >> that fight, because it is *so* trivial and routine to MiTM that you >> can find the list-price for the necessary equipment on Google. > > This is where we diverge, I suspect. None of that equipment is going > to work against PayPal or Google or even Tor Project's website when a > user uses a modern browser as those sites are TLS with cert pinning. Last I checked, browsers don't enforce pins when a MiTM CA is installed locally, and they don't intend to in the foreseeable future. Cheers, -- Mark Nottingham https://www.mnot.net/
Received on Saturday, 5 December 2015 00:41:54 UTC