This is my thinking. >> Not a hash of the contents, just the sub/external domains' key-ids. Yes, the main page would have to change if you updated the keys. Doesn't seem too onerous to me. Then that means each external…
> Should you ever really trust kiosk machines? They could easily be setup with MITM eavesdropping software. I should have the choice. This doesn't even give me that. > Presumably there could be some sort of <meta>…
I completely disagree with this. Public key pinning has some well known problems that make it very dangerous to implement at scale [1]. There are some very large problems that this introduces and does not solve: - How…
While HPKP looks good, I really wouldn't implement it. Too dangerous for big sites in it's current form. Ivan puts it better than me: https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-ke...
Generally the cliche is about not implementing your own cryptographic algorithms. As long as they only implement existing algorithms and don't generate new ones, I don't think this applies.
"Although Mozilla’s sanctions are too severe..." These guys must be joking. Trust has been lost, the roots should be permanently revoked. If anything, I think Mozilla's actions are not severe enough. How likely is it…
Oh no! Now where will I get my smug sense of satisfaction from?
True enough. But those who steal your account information and use it to pose as you don't follow the rules and regulations.
There are a lot of keyboard warriors in this thread. This guy puts forward a rational argument for big business. Unless you have extensive experience in this area, perhaps you shouldn't be so quick to judge "oh they are…
I'm a bit disappointed that this article doesn't mention the threats specifically that SSL in this way will defend against.. So what if the back end isn't encrypted? How much more unlikely is it that someone will be…
This is my thinking. >> Not a hash of the contents, just the sub/external domains' key-ids. Yes, the main page would have to change if you updated the keys. Doesn't seem too onerous to me. Then that means each external…
> Should you ever really trust kiosk machines? They could easily be setup with MITM eavesdropping software. I should have the choice. This doesn't even give me that. > Presumably there could be some sort of <meta>…
I completely disagree with this. Public key pinning has some well known problems that make it very dangerous to implement at scale [1]. There are some very large problems that this introduces and does not solve: - How…
While HPKP looks good, I really wouldn't implement it. Too dangerous for big sites in it's current form. Ivan puts it better than me: https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-ke...
Generally the cliche is about not implementing your own cryptographic algorithms. As long as they only implement existing algorithms and don't generate new ones, I don't think this applies.
"Although Mozilla’s sanctions are too severe..." These guys must be joking. Trust has been lost, the roots should be permanently revoked. If anything, I think Mozilla's actions are not severe enough. How likely is it…
Oh no! Now where will I get my smug sense of satisfaction from?
True enough. But those who steal your account information and use it to pose as you don't follow the rules and regulations.
There are a lot of keyboard warriors in this thread. This guy puts forward a rational argument for big business. Unless you have extensive experience in this area, perhaps you shouldn't be so quick to judge "oh they are…
I'm a bit disappointed that this article doesn't mention the threats specifically that SSL in this way will defend against.. So what if the back end isn't encrypted? How much more unlikely is it that someone will be…