undefined | Better HN

0 pointssupriyo-biswas2y ago0 comments

If a nonprofit like Let’s Encrypt can perform automated certificate renewal with a few API calls, so can the government.

Also, MITMs are a thing and getting the EIDAS certs in the root store will show that the certs in question are trusted, which is all that really matters because there is no way for users to know what certificates were actually installed by the website owner.

0 comments

Jensson2y ago

That has nothing to do with this, I don't think you understand this vulnerability. You can see which certificate authority issued the cert, so you can see if the suddenly the site started using a vulnerable cert provider and thus know that it is compromised. Note that the same attack is possible right now, the only difference is how your browser displays it, you can just install a plugin to get back the original behavior if you want. So this in no way prevents you from secure browsing.

TLDR: If you are worried about security you can always install a plugin to get back the old behavior. This just says that browsers should be able to trust them, not that you have to configure your browser to trust them.

supriyo-biswasOP2y ago

CA changes can happen due to many legitimate regions. Pinning certificates in this way doesn’t scale, as we saw with the deprecation of HPKP.

Jensson2y ago

All you need is a list of trusted CA's, like we do right now, and then issue a warning if it isn't on that list. It is a very simple plugin to make.

1 more reply

g-b-r2y ago

First, few people would know that they should install a plugin, second, since the laws says that browsers "shall ensure", there's a good chance that they would be forced to try to block these plugins

j / k navigate · click thread line to collapse

0 pointssupriyo-biswas2y ago0 comments

If a nonprofit like Let’s Encrypt can perform automated certificate renewal with a few API calls, so can the government.

0 comments

Jensson2y ago

supriyo-biswasOP2y ago

CA changes can happen due to many legitimate regions. Pinning certificates in this way doesn’t scale, as we saw with the deprecation of HPKP.

Jensson2y ago

All you need is a list of trusted CA's, like we do right now, and then issue a warning if it isn't on that list. It is a very simple plugin to make.

1 more reply

g-b-r2y ago

First, few people would know that they should install a plugin, second, since the laws says that browsers "shall ensure", there's a good chance that they would be forced to try to block these plugins

j / k navigate · click thread line to collapse