undefined | Better HN

0 pointssamatman5y ago0 comments

Yeah, that confused me as well.

Even if there was some wrinkle about the loop argument that I didn't understand, and HTTPS is out: Apple could encrypt the base64 payload, and the sniffable info is reduced to which computer is phoning home, which is something that someone with the ability to middle comms probably knows already.

"roll your own encryption and send it over HTTP" is a bad idea in general but... this is Apple, they can and do implement encryption. Why not here?

0 comments

1 comments · 1 top-level

brabel5y ago

The OCSP RFC[1] specifies that if requests are made using HTTP, they MAY be protected via TLS or "some other lower-layer protocol".

[1] https://tools.ietf.org/html/rfc6960#appendix-A.1

j / k navigate · click thread line to collapse