(www.devever.net)

341 points hlandau | 4 comments | 20 Oct 23 20:31 UTC | HN request time: 0.63s | source

1. tedunangst ◴[20 Oct 23 23:00 UTC] No.37962435[source]▶

Run your own CA and choose your roots carefully didn't make the cut.

replies(1): >>37962872 #

2. fanf2 ◴[21 Oct 23 00:10 UTC] No.37962872[source]▶

>>37962435 (TP) #

A bit difficult when providing services to third parties who can use any client software :-/

replies(2): >>37963028 #>>37963056 #

3. tedunangst ◴[21 Oct 23 00:35 UTC] No.37963028[source]▶

>>37962872 #

That's actually probably easier than getting a browser to work with a forbidden cert, how dare you.

4. justsomehnguy ◴[21 Oct 23 00:39 UTC] No.37963056[source]▶

>>37962872 #

Yes, but if you can serve multiple certificates on one endpoint (think SNI) then you can add your own self-signed or private PKI certificate to be able to check if all your requests are being intercepted by a lazy adversary.

↑

Mitigating the Hetzner/Linode XMPP.ru MitM interception incident