[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
ArkanoiD
ark at eltex.net
Wed Sep 7 02:47:58 PDT 2011
On Wed, Sep 07, 2011 at 11:42:22AM +0200, Jacob Appelbaum wrote:
>
> We shouldn't damage the security of the internet to meet the needs of
> some corporate security culture nonsense. If cert pinning is easily
> disabled without user interaction it will be disabled by an attacker.
Not necessary.
> If you have special corporate needs, why don't you recompile the browser
> to remove the security features that protect users? I'm sure some
> corporation's over worked security team will do a better job!
Actually at the moment my MITM proxy enforces certificate security way better than browsers do.
> I have requested cert pinning in Chrome because if the wrong certs are
> presented, I want it to fail closed. I want users to avoid being MITM'ed
> by attackers regardless of their intentions or corporate environmental
> needs.
Ah, then losing all network traffic control (it means just that: poke one hole and one is more than enough) is good for security. "Great".
More information about the Observatory
mailing list