- In the same direction, I once wanted to test an embedded device on crap wifi.
So I just ordered the cheapest AP I could find.
Except the damn device worked perfectly. Slow but rock solid.
One of our testers at $CURRENT_JOB also has trouble simulating a crap network, because our network is good.
- https://badssl.com/ also offers several test subdomains in the same vein.
- Interesting. Chrome (146, macOS) shows no error messages on the revoked cert pages, but Firefox does (also macOS).
- Yeah, Chrome only partly supports revocation (Not sure exactly the criteria, but our test sites don't match it).
- Same with Brave, so it is a Chromium thing.
- Vanadium, Chrome and Firefox (all for Android) all accept all the revoked certificates... But revoked.badssl.com is considered revoked
- > Vanadium, Chrome and Firefox (all for Android) all accept all the revoked certificates... But revoked.badssl.com is considered revoked
Firefox Beta (150.0b7) is accepting all of the revoked certs on my device
- Meanwhile HTTP keeps working just fine and is decentralized.
Just "add your own crypto" on top, which is the ONLY thing a sane person would do.
3... 2... 1... banned?
- to actually tackle this (on the off chance you're serious, I'm assuming not) - this doesn't work.
The payload that implements your crypto cannot be delivered over http, because any intermediate party can just modify your implementation and trivially compromise it.
If you don't trust TLS, you have to pre-share something. In the case of TLS and modern browser security, the "pre-shared" part is the crypto implementation running in the browser, and the default trusted store of root CAs (which lives in the browser or OS, depending).
If you want to avoid trusting that, you've got to distribute your algorithm through an alternative channel you do trust.
33 points by mcpherrinm 2 hours ago | 11 comments