| ▲ | procaryote 2 days ago |
| Compromise one device, extract the private key, have a "trusted for a very long time" cert that identifies like devices of that type, sneak it into a target network for man in the middle shenanigans. |
|
| ▲ | dcow 2 days ago | parent [-] |
| If someone does that you’ve already been pwned. In reality you limit the CA to be domain scoped. I don’t know why domain-scoped CAs aren’t a thing. |
| |
| ▲ | jabiko 2 days ago | parent [-] | | > If someone does that you’ve already been pwned Then why use encryption at all when your threat model for encrypted communication can't handle a malicious actor on the network? | | |
| ▲ | mjmas 2 days ago | parent [-] | | Because there are various things in HTML and JS that require https. (Though getting the browser to just assume http to local domains is secure like it already does for http://localhost would solve that) |
|
|
