- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Thu, 19 Feb 2015 19:44:38 +0100
- To: noloader@gmail.com
- Cc: Anne van Kesteren <annevk@annevk.nl>, public-webapps WG <public-webapps@w3.org>
* Jeffrey Walton wrote: >Here's yet another failure that Public Key Pinning should have >stopped, but the browser's rendition of HPKP could not stop because of >the broken security model: >http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/. In this story the legitimate user with full administrative access to the systems is Lenovo. I do not really see how actual user agents could have "stopped" anything here. Timbled agents that act on behalf of someone other than the user might have denied users their right to modify their system as Lenovo did here, but that is clearly out of scope of browsers. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de Available for hire in Berlin (early 2015) · http://www.websitedev.de/
Received on Thursday, 19 February 2015 18:45:12 UTC