Hacker News new | ask | show | jobs
by rvnx 956 days ago
It exists and works already: Certificate Transparency logs, HSTS and Cert Pinning are “protecting”.

The first may have the side-effect (or intended ?) to inform US companies which websites you are visiting upon addition of new entries though…
2 comments
ajb 956 days ago
Yes, the problem is that apparently this would outlaw it.

Incidentally there a very similar sounding provision announced in the UK yesterday:

'make tech companies clear security features with the Home Office'

link
frankjr 956 days ago
> Certificate Transparency logs

CT logs are just, well, logs. They don't do anything to protect you from having your traffic intercepted via maliciously issued certificate. You might learn later (if somebody bothers to check) that it occurred but at that point the damage is already done.

> HSTS

This just says the connection should only be established via HTTPS, nothing more.

> Cert Pinning

Cert pinning has been removed both from Chromium and Firefox.

https://chromestatus.com/feature/5903385005916160

https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Rel...

link
rvnx 956 days ago
Yes exactly the 3 elements are necessary for the protection to work.

HSTS is the official way to force HTTPS (aside 301 redirects), if you have the best certificate in the world, but the client is using HTTP, then there is no point.

If you only have CT logs you are just catching the issue (if... the CT log servers themselves are not blocked by the rogue actor), but it's still too late.

Cert Pinning is here to prevent the issue, whether browsers or not wants to follow it is another question.

link
frankjr 956 days ago
Right, I think I misunderstood what you were saying earlier.
link