Timeline for How is it possible that people observing an HTTPS connection being established wouldn't know how to decrypt it?
Current License: CC BY-SA 3.0
5 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jul 23, 2014 at 20:30 | history | post merged (destination) | |||
| Oct 23, 2013 at 23:07 | comment | added | LateralFractal | @scuzzy-delta The update servers of larger organisations are likely digital signed in manner checked by the patch process (Blizzard games for example); but in the main most initial downloads are not restricted to HTTPS access channel and most updates are neither signed nor checked by patch automation if automation exists. In theory our brand new OEM computer should come with a ROM medium of Root CAs verified by auditors independent of the OEM, and everything downloaded afterwards using HTTPS or a signed equivalent. | |
| Oct 23, 2013 at 21:23 | comment | added | scuzzy-delta | MITM-ing the patch process is an excellent point...but to me it seems that the ISP would have to compromise the private key of the update server to do so (which I think is encroaching into NSA/TLA territory). Have you any incidents in mind? | |
| Oct 23, 2013 at 12:50 | comment | added | Wolfer | Nice suggestion there. :D | |
| Oct 23, 2013 at 1:18 | history | answered | LateralFractal | CC BY-SA 3.0 |