[cryptography] "There is something Google can do. So they should do it."

Tony Arcieri bascule at gmail.com
Sat Nov 28 00:03:24 EST 2015


On Fri, Nov 27, 2015 at 7:34 PM, Greg <greg at kinostudios.com> wrote:

> I dedicated about a third of the blog post to Dell and basically called
> them liars. I hardly think that counts as a “ parenthetical”.
>

You are literally using it as a pretext to go after Google. Can you point
to a single time in the past you've mentioned Dell's involvement in this
incident without mentioning Google?

Firefox has the same behavior for HPKP:

https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning

"Allow User MITM (pinning not enforced if the trust anchor is a user
inserted CA, default)"

Why do you never mention this? Your blog post doesn't mention Firefox once.


>
> > Your threat modeling priorities are, to put it bluntly, pretty fucked up
> Greg.
>
> Ditto, Tony!


Threat: an attacker with local system administrator privileges can override
HPKP.

This is what you're worried about. You are trying to defend against an
attacker with local system administrator privileges.

If your local truststore is compromised, your system is compromised. Your
best bets are to reinstall the entire operating system or get a new
computer.

You are worried the door lock is pickable when the house is on fire.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20151127/6a1ef46e/attachment.html>


More information about the cryptography mailing list