[SSL Observatory] SSL CA compromise in the wild
Jacob Appelbaum
jacob at appelbaum.net
Wed Mar 23 14:41:47 PDT 2011
On 03/23/2011 02:39 PM, ArkanoiD wrote:
> I do not see how HSTS helps. It does nothing besides enforcing TLS, trust model is still the same.
HSTS helps because at least with Chrome, it requires OCSP checking to
pass. Thus a MITM cannot (without compromising the CA entirely) simply
deny CRL/OCSP checks.
This is not the case with other browsers.
All the best,
Jacob
More information about the Observatory
mailing list