[SSL Observatory] SSL CA compromise in the wild

Jacob Appelbaum jacob at appelbaum.net
Wed Mar 23 14:41:47 PDT 2011


On 03/23/2011 02:39 PM, ArkanoiD wrote:
> I do not see how HSTS helps. It does nothing besides enforcing TLS, trust model is still the same.

HSTS helps because at least with Chrome, it requires OCSP checking to
pass. Thus a MITM cannot (without compromising the CA entirely) simply
deny CRL/OCSP checks.

This is not the case with other browsers.

All the best,
Jacob



More information about the Observatory mailing list