On Thu, Jan 17, 2013 at 3:56 PM, Luigi Rosa <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > If this message is offtopic, please excuse me. > > I was reading about Nokia HTTPS MitM. Many corporate firewall can MitM HTTPS > for content inspection and many governments do this for their reasons. > > I was thinking: could it be possible to create a fake HTTPS stream to DoS the > MitM attempt? Stop conferring trust.
Pin the certifcate or public key. Google used it to vet out the Diginotar compromise in Chrome (all other browsers suffered). Its similar to SSH's StrictHostKeyChecking option. Its also on track for internet standards: http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04. Use Secure Remote Password (SRP). SRP is basically Diffei-Hellman using the password as an exponent (lots of handwaiving). Don't trust browsers. That includes Mozilla (Trustwave and the closed door, back room deals) or Opera (Nokia and its 'Acceleration Interception'). Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
