undefined | Better HN

0 pointsuser59944615y ago0 comments

Trusting a specific hash would blow up when the service rotate its self-signed certificate, defeating the point of ignoring certificate error.

0 comments

josephcsible5y ago

If you're rotating a self-signed certificate, then how do you suppose that clients securely trust it? Or if you just mean replacing it when it expires, then this could instead be tied to the underlying public key alone, which can be reused.

pornel5y ago

If your clients support "rotating" self-signed certs just like that, it's a huge MITM vulnerability and makes HTTPS as secure as a TSA checkpoint.

j / k navigate · click thread line to collapse

0 pointsuser59944615y ago0 comments

Trusting a specific hash would blow up when the service rotate its self-signed certificate, defeating the point of ignoring certificate error.

0 comments

josephcsible5y ago

pornel5y ago

If your clients support "rotating" self-signed certs just like that, it's a huge MITM vulnerability and makes HTTPS as secure as a TSA checkpoint.

j / k navigate · click thread line to collapse