Finally, this website is (only) accessible over https!
While there are many well-documented issues with the X.509 PKI trust model, I’ve done my best to harden my web server’s encryption configuration.
This includes whitelisting only the most secure PFS TLS ciphers as well as utilizing technologies such as HPKP to allow users to store & pin my SSL certificate after initial TOFU and HSTS to minimize the risk of protocol downgrade attacks.
While it’s reasonable to suspect that Mallory already possesses at least one root CA certificate that your browser will happily trust while they MITM your would-be-private connection with my server, it’s less likely an issue if you’ve visited my site in the past (without the MITM attack) because your browser will require future connections to be encrypted (via HSTS cache) and detect if the certificate changed (via HPKP cache).
Big “Thank you!” to Mozilla, the EFF, and others for funding https://letsencrypt.org, my new (free!) certificate authority!
Related Posts
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
Leave a Reply