top | item 38111458

(no title)

algesten | 2 years ago

To protect myself or my company, what about a pihole (or similar) that rejects any TLS connection attempted with certs signed by these root CA?

discuss

archi42|2 years ago

That's illegal then. But the pihole won't do the trick, you need to remove the mandated certs from your browsers certstore. If these certs are used for legitimate places (e.g. EU or state websites, and I'll bet they will) you then will get a certificate error.

Of course there is still HSTS, but that's not supported by all tech using TLS.

hn8305823|2 years ago

> If these certs are used for legitimate places (e.g. EU or state websites, and I'll bet they will) you then will get a certificate error.

Prediction: If this passes, users having to bypass cert errors will be the new cookie popup.

Snawoot|2 years ago

TLS 1.3 encrypts server certificate, so it will not be possible to filter such connections out using just passive inspection.

darkarmani|2 years ago

Instead of a pihole, you'd run a https proxy that doesn't trust the certs i guess.