Google: Maintaining digital certificate security

Posted Mar 25, 2015 21:05 UTC (Wed) by cesarb (subscriber, #6266)
In reply to: Google: Maintaining digital certificate security by gerv
Parent article: Google: Maintaining digital certificate security

> If this is the first time you've ever connected to a site, it's less likely you are going to be doing high value transactions on it. Most web visits are to places people have been before.

That's not a strong argument.

First, if my home connection (or work connection) is persistently MITM'ed, and I always (or almost always) use it, it's likely that both the first visit and all subsequent visits to any site will be MITM'ed.

Second, let's take a real example: online banking. The first time I ever connect to it, I set up the online password by using the ATM password. The online banking website asks for the ATM password as an extra verification when doing important transactions. That is, the first time I connect to that online banking website is precisely when I need the most for it to NOT be MITM'ed.

Sure, HPKP can remove a lot of the risk in many situations (nomadic devices, MITM starting after you've already visited the site, etc), but there are several situations in which it doesn't help.

Google: Maintaining digital certificate security

Posted Mar 25, 2015 21:34 UTC (Wed) by dlang (guest, #313) [Link]

no security is absolute, but if your home system is targeted by a persistent MITM that's after you and faking the sites you connect to, what are the odds against them doing a black-bag job on your system?

There are a lot of cases where something like this does help, and if it can be coupled with something like the ssh key update things so that planned migrations from one key to another don't generate noise for users, there would be a lot of value in it.