On 12/9/2013, 9:34 PM, Adam Thompson wrote:

Well, that's just lovely:

http://googleonlinesecurity.blogspot.ca/2013/12/further-improving-digital-ce...

Awesome, though it does help highlight the issue of SSL/TLS structural weakness. It doesn't need anything that fancy if you control the clients either of course, as the ability to MITM traffic is a built-in feature in lots of devices.

On the other hand, I have appreciated the visibility I get from the Perspectives plug-in for Firefox. It basically asks other systems for the certificates they see, and highlights any (sometimes valid) discrepancies. If you want to see it squawk, connect to one of those hotspots that hijacks your first browser request to log in using an HTTPS site.