[SSL Observatory] SSL CA compromise in the wild
Matt McCutchen
matt at mattmccutchen.net
Wed Mar 23 10:08:36 PDT 2011
On Wed, 2011-03-23 at 12:57 -0400, Daniel Kahn Gillmor wrote:
> HSTS has nothing to say about certificate verification, afaict.
Actually, it tells the browser not to allow the user to accept bad
certs. It's unfortunate that the single mechanism has two orthogonal
effects, when some site admins may want only one. E.g., for my personal
web site, I want to force HTTPS to prevent cookie forcing, but I don't
want to block bad certs because that breaks users who choose to disable
all the default CAs and accept server certificates individually.
--
Matt
More information about the Observatory
mailing list