Gregory's Server@farshidhakimy @signalapp browser data is intercepted daily by hundreds if not thousands of companies via managed endpoints that have SSL stripping software on them. If you're communicating via a "secure" messenger that works on the web, it isn't as secure as you think.
|
2 comments
@farshidhakimy @signalapp I misspoke, security isn't my area. I meant MITM by installing a root cert, not SSL stripping, which is a completely different vector of attack, but from my brief reading, is possible to secure against via cert transparency like you said. This is great! Definitely need to look into this more, would be great to have a web client as an option if security isn't a concern anymore. |
@Cappyjax @signalapp
SSL stripping is not possible after the first secure connection on any modern browser.
Also every modern browser warns users when they're connected via HTTP.
Even if a malicious actor gets valid SSL certificates without compromising the server, the admins will get warned because of Certificate Transparency.
In addition to that, the source code for the web client would be open source, which means that one could open a static http file locally or host it themselves.