On Mon, 11 Jan 2016, Peter Gutmann wrote:
Paul Wouters <[email protected]> writes:
If you disallow the cert and turn off encryption, Borat can still read
everyone's traffic, but so can everyone else on the planet.
Who said "turn off encryption"?
If you don't allow the MITM cert, which is needed to enable encryption in the
browser, you don't get any encryption. Disallowing the MITM cert has the
effect of turning off encryption.
Or we ensure that firefox and chrome refuses to see those sites at all,
because they refuse a downgrade attack. Let the nation state basically
block all of the sites they want to MITM and see how that works out.
Otherwise, allowing this is just the same as backdoored encryption in
the browser - and it will be coming to a browser or nation state near
us.
Paul
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
