undefined | Better HN

0 pointsalexnewman8mo ago0 comments

Read how Tls works. Many people Can mitm. That’s why we sign applications

0 comments

4 comments · 2 top-level

dns_snek8mo ago· 1 in thread

If they can MITM the installation script delivered over HTTPS, they can also MITM the website delivered over HTTPS.

You can have 10 step instructions for users to add your PGP signing key and install your APT repository, but what difference does it make? None at all. A malicious website will copy your instructions and replace the signing key and the repository URL with their own.

alexnewmanOP8mo ago

No because the apps are signed and have it's own chain of trust independent of tls

Sohcahtoa828mo ago· 1 in thread

I've read how TLS works. No, you can't MITM it unless your server or client have been altered to be deliberately insecure (ie, having a server with a self-signed certificate or a client that doesn't verify certificates). If you could, the entire internet would be broken.

alexnewmanOP8mo ago

What happens when your certificate authority goes after you

j / k navigate · click thread line to collapse