[kwlug-disc] Blue Coat
Hubert Chathi
hubert at uhoreg.ca
Sun May 29 15:45:26 EDT 2016
On Sat, 28 May 2016 21:34:44 -0400, "B.S." <bs27975.2 at gmail.com> said:
> However ... if that first cert fetch came from one of these
> untrustworthy CA intermediaries - has one accomplished anything?
Yes, that's absolutely right. Pinning, and other "trust on first use"
(TOFU)-like schemes operate under the assumption that an attacker is not
doing long-term surviellance, in which case, either your first contact
with a site is prior to the attack, or that future interactions will be
after the attack is done, at which point you will notice the key change
and realize that something fishy happened.
So it's not perfect, but it's a slight improvement since it limits what
kind of attack you are vulnerable to and/or who is able to attack you.
More information about the kwlug-disc
mailing list