I don't know if you're referring to HSTS. If not, it's worth noting in this thread. As I understand HSTS, session decryption is still possible on sites that send the 'Strict-Transport-Security' header. See: https://tools.ietf.org/html/rfc6797
I suspect it's only a matter of time before browsers become suspicious by default, requiring that HTTPS responses be signed and requiring that SSL certificates come from trusted sources. In other words, HSTS is the next step in a long-running arms race. It will not be the last. See this 1997 article for a taste: http://www.apacheweek.com/features/ssl Money quote: "The US Government imposes export restrictions on arms, in a set of rules called ITAR" All of this points to the deficiency of the existing commercial certificate authority system. The fact that organizations can easily purchase software specifically designed to subvert encrypted communication channels is proof that HTTPS security is an illusion. Kelly On 1/18/15, 12:31 PM, "William Waites" <[email protected]> wrote: >On 18 Jan 2015 18:15:09 -0000, "John Levine" <[email protected]> said: > > > I expect your users would fire you when they found you'd blocked > > access to Google. > >Doesn't goog do certificate pinning anyways, at least in their web >browser? ******* CONFIDENTIALITY NOTICE ******* This e-mail message and all attachments transmitted with it may contain legally privileged and confidential information intended solely for the use of the addressee. If the reader of this message is not the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete this message from your system. Thank you.
