Stop Breaking TLS

(www.markround.com)

170 points todsacerdoti | 1 comments | 10 Dec 25 07:06 UTC | HN request time: 0.201s | source

Show context

cornonthecobra ◴[10 Dec 25 10:10 UTC] No.46216054[source]▶

> Consider this - what is the likelihood of every certificate authority on the Internet having their private keys compromised simultaneously?

Considering that CloudFlare has managed to MitM a huge part of the internet, I'd say that probability is not just non-zero, but greater than by a worrying margin.

replies(1): >>46225759 #

acdha ◴[10 Dec 25 23:50 UTC] No.46225759[source]▶

>>46216054 #

That’s not what MITM means, and also misunderstands how CAs work. Cloudflare is a concern for how many people would be affected if there was another Cloudbleed but misstating their relationship with their customers isn’t going to accomplish anything.

replies(1): >>46228740 #

JetSpiegel ◴[11 Dec 25 07:48 UTC] No.46228740[source]▶

>>46225759 #

How is that not a MITM? Just because it's the modern day CryptoAG?

replies(1): >>46230922 #

1. acdha ◴[11 Dec 25 13:08 UTC] No.46230922[source]▶

>>46228740 #

Because it’s not an attack but rather a voluntary infrastructure choice by a company. We don’t say that Varnish is a MITM because it’s in front of my application, because it’s intentional and under my control. Misusing the term muddies the topic rather than adding clarity, and while there’s a very useful discussion about centralization or why Cloudflare’s most stringent customers might want to deploy their Keyless SSL service that discussion won’t happen if someone misuses the term.

↑