On Thu, Feb 19, 2015 at 9:43 AM, Jeffrey Walton <[email protected]> wrote:
> Quod erat demonstratum: > > http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/ > > This proposal needs to be revisited. It has serious defects. Ryan's previous post already covered the reasons for disabling pin validation for user-defined trust anchors, which still hold even though Superfish did their superfish thing. If the spec did not allow this behavior, the next Superfish would probably just configure local UAs to launch with pinning disabled completely. I don't think their recklessness would somehow stop short of overriding the browser's pinning policy.
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
