Hacker News new | past | comments | ask | show | jobs | submit login

lol no? lower cert times still extend the root certificates that are already trusted. It is not a noticeable thing when browsing the web as a user.

A MITM cert would need to be manually trusted, which is a completely different thing.




I think their point is that a hypothetical connection-specific cert would make it difficult/impossible to compare your cert with anybody else to be able to find out that it happened. A CA could be backdoored but only “tapped” for some high-value target to diminish the chance of burning the access.


> I think their point is that a hypothetical connection-specific cert would make it difficult/impossible to compare your cert with anybody else to be able to find out that it happened.

This is already the case; CT doesn't rely on your specific served cert being comparable with others, but all certs for a ___domain being monitorable and auditable.

(This does, however, point to a current problem: more companies should be monitoring CT than are currently.)


Well, the cert can still be compared to what's in the CT Log for this purpose.


Yes, precisely.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: