undefined | Better HN

0 pointsmjg592y ago0 comments

Most browsers will reject such a certificate. See https://googlechrome.github.io/CertificateTransparency/ct_po... for the policy Chrome imposes - my understanding is that Safari is broadly similar. Right now I don't think Firefox performs this validation, so this is possible if you know in advance that your target runs Firefox.

0 comments

matthew92192y ago

That page explains that Chrome (which is best in class here - most IOT devices don't do any of this stuff) fails open:

> If the installed version of Chrome has not applied security updates and has been unable to obtain an updated CT log list from the Component Updater for 70 days or more, then CT enforcement will be disabled.

That means a global adversary need merely block the update channel to targeted devices and wait. How will a Smart TV behave?

mjg59OP2y ago

You're moving the goalposts to a ridiculous degree. Chrome will be incredibly angry at you if you haven't updated in 70 days. How will a smart TV behave? I've no idea. It's probably not paying any attention to dnssec (otherwise pihole and co wouldn't work), so I don't think you're presenting a credible alternative.

matthew92192y ago

That's just not what's happening. Reread the conversation. I started from here:

> Certificate transparency is cool, but it's not clear it really works for many classes of devices

Smart TVs aren't some gotcha I'm throwing in at the end. It's literally the first thing I said about CT. CT works ok for mobile phones, laptops, and other devices where you can make certain assumptions about multiple networks and frequent updates. If you want a technology that doesn't require these assumptions, you want DNSSec.

mjg59OP2y ago

Once you've got a 70 day old browser you're just waiting for it to hit one domain you can MITM or serve content from and then you've got arbitrary code execution and who cares whether dnssec is involved or not. Attacking CT is just not the threat model to be concerned about.

1 more reply

j / k navigate · click thread line to collapse

0 comments

matthew92192y ago

That page explains that Chrome (which is best in class here - most IOT devices don't do any of this stuff) fails open:

That means a global adversary need merely block the update channel to targeted devices and wait. How will a Smart TV behave?

mjg59OP2y ago

matthew92192y ago

That's just not what's happening. Reread the conversation. I started from here:

> Certificate transparency is cool, but it's not clear it really works for many classes of devices

mjg59OP2y ago

1 more reply

j / k navigate · click thread line to collapse