On 9/26/25 11:22 PM, Jeffrey Walton wrote:
On Sat, Sep 27, 2025 at 2:13 AM Marco Moock <[email protected]> wrote:
Am 27.09.2025 um 01:50:08 Uhr schrieb Jeffrey Walton:
A corollary to "interception is a valid use case" is, webapps can
never be sure they have a secure channel. Therefore, webapps can only
handle low value data. Higher value data should be handled by hybrid
and native apps.
They usually use the system's certificates. Same privacy and security
issues in that case.
Native and some hybrid apps have additional security controls they can
use. Namely, Host Key Pinning. When practicing pinning, the app does
not care about the certification path or the CA's doing the
certifying. The app only cares about the host's public key. This is
similar to SSH's StrictHostKeyChecking (and the precursor experiment
called Perspectives).
Then those apps wouldn't work in this situation.
--
_______________________________________________
users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
