Filippo Valsorda @filippo.abyssdomain.expert · May 14, 2015 · 1:42 PM UTC

Filippo Valsorda @filippo.abyssdomain.expert @FiloSottile

14 May 2015

You periodic reminder that HTTPS (excluding EV) is about protecting and trusting the connection, not the website.

Filippo Valsorda @filippo.abyssdomain.expert · May 14, 2015 · 1:53 PM UTC

Filippo Valsorda @filippo.abyssdomain.expert @FiloSottile

14 May 2015

Possible malicious actors without HTTPS: * the website * the ISP * the gov * the hot-spot * the neighbor With HTTPS: * the website

173

118

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · May 14, 2015 · 6:41 PM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · May 14, 2015 · 6:41 PM UTC

14 May 2015

@FiloSottile @directhex Also MITM ISPs with control of your DNS and a root-signed MITM cert. Also the entire CA system

May 14, 2015 · 6:41 PM UTC

Filippo Valsorda @filippo.abyssdomain.expert · May 14, 2015 · 7:27 PM UTC

Filippo Valsorda @filippo.abyssdomain.expert @FiloSottile

14 May 2015

@dsilverstone @directhex @miekg CT will tell us about them.