| 1 |
On Wednesday, June 2, 2021 3:51:06 AM CEST Grant Taylor wrote: |
| 2 |
> On 6/1/21 3:38 PM, Michael Orlitzky wrote: |
| 3 |
> > All browsers will treat their fake certificate corresponding to the |
| 4 |
> > fake key on their fake web server as completely legitimate. The "real" |
| 5 |
> > original key that you generated has no special technical properties |
| 6 |
> > that distinguish it. |
| 7 |
> |
| 8 |
> Not /all/ browsers. I know people that have run browser extensions to |
| 9 |
> validate the TLS certificate that they receive against records published |
| 10 |
> via DANE in DNS, which is protected by DNSSEC. So it's effectively |
| 11 |
> impossible for a rogue CA and malicious actor to violate that chain of |
| 12 |
> trust in a way that can't be detected and acted on. |
| 13 |
|
| 14 |
Do you know which extensions add this? |
Archives