undefined | Better HN

0 pointsfrankjr2y ago0 comments

> Certificate Transparency logs

CT logs are just, well, logs. They don't do anything to protect you from having your traffic intercepted via maliciously issued certificate. You might learn later (if somebody bothers to check) that it occurred but at that point the damage is already done.

> HSTS

This just says the connection should only be established via HTTPS, nothing more.

> Cert Pinning

Cert pinning has been removed both from Chromium and Firefox.

https://chromestatus.com/feature/5903385005916160

https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Rel...

0 comments

rvnx2y ago

Yes exactly the 3 elements are necessary for the protection to work.

HSTS is the official way to force HTTPS (aside 301 redirects), if you have the best certificate in the world, but the client is using HTTP, then there is no point.

If you only have CT logs you are just catching the issue (if... the CT log servers themselves are not blocked by the rogue actor), but it's still too late.

Cert Pinning is here to prevent the issue, whether browsers or not wants to follow it is another question.

frankjrOP2y ago

Right, I think I misunderstood what you were saying earlier.

j / k navigate · click thread line to collapse