Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The CA system is extremely broken, it won't protect you from a state actor. Also TLS + DANE is useless if the DNS is compromised.


That's a bit too much hyperbole to be useful: yes, a state which runs a trusted CA is a threat (at least for sites which don't use key-pinning) but there are a ton of other things you're at risk for that way like SMS-based auth and the police or black bag squad paying you a visit. Describing the CA model as extremely broken because it doesn't handle an out-of-scope threat doesn't help anyone change their behavior to avoid it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: