On Sat, Sep 27, 2025 at 2:13 AM Marco Moock <[email protected]> wrote: > > Am 27.09.2025 um 01:50:08 Uhr schrieb Jeffrey Walton: > > > A corollary to "interception is a valid use case" is, webapps can > > never be sure they have a secure channel. Therefore, webapps can only > > handle low value data. Higher value data should be handled by hybrid > > and native apps. > > They usually use the system's certificates. Same privacy and security > issues in that case.
Native and some hybrid apps have additional security controls they can use. Namely, Host Key Pinning. When practicing pinning, the app does not care about the certification path or the CA's doing the certifying. The app only cares about the host's public key. This is similar to SSH's StrictHostKeyChecking (and the precursor experiment called Perspectives). Jeff. -- _______________________________________________ users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
