(www.devever.net)

341 points hlandau | 3 comments | 20 Oct 23 20:31 UTC | HN request time: 0s | source

Show context

tedunangst ◴[20 Oct 23 23:00 UTC] No.37962435[source]▶

>>37961166 (OP) #

Run your own CA and choose your roots carefully didn't make the cut.

replies(1): >>37962872 #

1. fanf2 ◴[21 Oct 23 00:10 UTC] No.37962872[source]▶

>>37962435 #

A bit difficult when providing services to third parties who can use any client software :-/

replies(2): >>37963028 #>>37963056 #

2. tedunangst ◴[21 Oct 23 00:35 UTC] No.37963028[source]▶

>>37962872 (TP) #

That's actually probably easier than getting a browser to work with a forbidden cert, how dare you.

3. justsomehnguy ◴[21 Oct 23 00:39 UTC] No.37963056[source]▶

>>37962872 (TP) #

Yes, but if you can serve multiple certificates on one endpoint (think SNI) then you can add your own self-signed or private PKI certificate to be able to check if all your requests are being intercepted by a lazy adversary.

↑

Mitigating the Hetzner/Linode XMPP.ru MitM interception incident