[snvzz]

This is insane, and we should hurry up and prepare the technical ways to ensure we know it if we are served a different cert than everybody else.

There's ongoing work on this field, but it is now a priority to have it ready.

[rvnx]

It exists and works already: Certificate Transparency logs, HSTS and Cert Pinning are “protecting”.

The first may have the side-effect (or intended ?) to inform US companies which websites you are visiting upon addition of new entries though…

[ajb]

Yes, the problem is that apparently this would outlaw it.

Incidentally there a very similar sounding provision announced in the UK yesterday:

'make tech companies clear security features with the Home Office'

[frankjr]

> Certificate Transparency logs

CT logs are just, well, logs. They don't do anything to protect you from having your traffic intercepted via maliciously issued certificate. You might learn later (if somebody bothers to check) that it occurred but at that point the damage is already done.

> HSTS

This just says the connection should only be established via HTTPS, nothing more.

> Cert Pinning

Cert pinning has been removed both from Chromium and Firefox.

https://chromestatus.com/feature/5903385005916160

https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Rel...

[rvnx]

Yes exactly the 3 elements are necessary for the protection to work.

HSTS is the official way to force HTTPS (aside 301 redirects), if you have the best certificate in the world, but the client is using HTTP, then there is no point.

If you only have CT logs you are just catching the issue (if... the CT log servers themselves are not blocked by the rogue actor), but it's still too late.

Cert Pinning is here to prevent the issue, whether browsers or not wants to follow it is another question.

[frankjr]

Right, I think I misunderstood what you were saying earlier.