Hacker News new | past | comments | ask | show | jobs | submit login

"There's the fact that MITM for http is minimally different than https." Unless I'm missing something important, that can be prevented with key pinning.



Key pinning could do a little towards preventing MITM, but implementing it is dangerous - in fact the whole standard is dangerous. Smashing Magazine went live with it, then had a cert expire before their max-age header did - rendering their site unavailable to repeat visitors. Then there are attacks like pkpransom to deal with, or the fact that Chrome doesn't implement hpkp properly.

Only ~400 sites actually implement pinning. It's going to be more of a security problem than a security solution in the next couple of years.


Key pinning is not even needed. Entire point of SSL/TLS is to ensure end to end authenticity and confidentiality.

I believe the above poster does not fully understand SSL/TLS at all.


> Entire point of SSL/TLS is to ensure end to end authenticity and confidentiality.

The point is that country A can strongarm a certificate authority under their domain to sign any certificate they want. So if A wants to MITM google or github they can, and there's no way for you to know which certificate is the real one and which is the fake.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: