On Thu, Feb 19, 2015 at 1:44 PM, Bjoern Hoehrmann <derhoe...@gmx.net> wrote: > * Jeffrey Walton wrote: >>Here's yet another failure that Public Key Pinning should have >>stopped, but the browser's rendition of HPKP could not stop because of >>the broken security model: >>http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/. > > In this story the legitimate user with full administrative access to the > systems is Lenovo. I do not really see how actual user agents could have > "stopped" anything here. Timbled agents that act on behalf of someone > other than the user might have denied users their right to modify their > system as Lenovo did here, but that is clearly out of scope of browsers. > -- Like I said, the security model is broken and browser based apps can only handle low value data.