undefined | Better HN

0 pointsyjftsjthsd-h2y ago0 comments

If an attack requires compromising my operating system certificate store, I'm reasonably comfortable excluding it from most of my threat models.

0 comments

electroly2y ago

Obviously you choose your own relevant threat models, but it's common to do in iOS apps--many apps are including it in their threat models. Pinning the CA cert is what Apple recommends to app developers. It's not an unreasonable thing to do.

https://developer.apple.com/news/?id=g9ejcf8y

yjftsjthsd-hOP2y ago

That link discusses how to do it but not why. The most likely thing that occurs to me is that iOS apps consider the user a potentially hostile actor in their threat model, which is... technically a valid model, but in the context of this thread I don't that counts as a real concern.

j / k navigate · click thread line to collapse

0 pointsyjftsjthsd-h2y ago0 comments

If an attack requires compromising my operating system certificate store, I'm reasonably comfortable excluding it from most of my threat models.

0 comments

electroly2y ago

https://developer.apple.com/news/?id=g9ejcf8y

yjftsjthsd-hOP2y ago

j / k navigate · click thread line to collapse