Clients are supposed to check. For example, Apple requires a varying number of SCTs in order for Safari to trust server certificates. https://support.apple.com/en-us/103214
So how does that work with middleboxes? Corporate isn't about to forgo egress security (nor should they).
I don't currently MITM my LAN but my general attitude is that if something won't accept my own root certificate from the store then it's broken, disrespecting my rights, and I want nothing to do with it. Trust decisions are up to me, not some third party.
Corporate managed machines can control the software running on the computer to do anything. I'm not sure the details, but chrome certainly can support corporate MITM. There's likely some setting you have to configure first.
The default should be to reject certificates which aren't being logged, and if you as a user or corporation have a reason to use private certificates, you just configure your computer to do that. Which fully protects against the risk of normal CAs signing fraudulent certificates.
"Code is cheap, show me your nationality" approach to opensource is an absolute disgrace to the world. Surely sharing knowledge and volunteer work in software is one place where nationality and politics should have no place
That's not about nationality though. That PR is about (re)enabling OpenTofu to work more smoothly with Russian SaaSes, which are either already sanctioned or are likely to be sanctioned.
Everything is political, being "apolitical" is a political choice. You can't escape politics.
And yes, it does break MITM use cases, for example on Chrome: https://httptoolkit.com/blog/chrome-android-certificate-tran...
reply