On Fri, Nov 27, 2015 at 7:34 PM, Greg <g...@kinostudios.com> wrote: > I dedicated about a third of the blog post to Dell and basically called > them liars. I hardly think that counts as a “ parenthetical”. >
You are literally using it as a pretext to go after Google. Can you point to a single time in the past you've mentioned Dell's involvement in this incident without mentioning Google? Firefox has the same behavior for HPKP: https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning "Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default)" Why do you never mention this? Your blog post doesn't mention Firefox once. > > > Your threat modeling priorities are, to put it bluntly, pretty fucked up > Greg. > > Ditto, Tony! Threat: an attacker with local system administrator privileges can override HPKP. This is what you're worried about. You are trying to defend against an attacker with local system administrator privileges. If your local truststore is compromised, your system is compromised. Your best bets are to reinstall the entire operating system or get a new computer. You are worried the door lock is pickable when the house is on fire.
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography