On Wednesday, June 2, 2021 3:51:06 AM CEST Grant Taylor wrote: > On 6/1/21 3:38 PM, Michael Orlitzky wrote: > > All browsers will treat their fake certificate corresponding to the > > fake key on their fake web server as completely legitimate. The "real" > > original key that you generated has no special technical properties > > that distinguish it. > > Not /all/ browsers. I know people that have run browser extensions to > validate the TLS certificate that they receive against records published > via DANE in DNS, which is protected by DNSSEC. So it's effectively > impossible for a rogue CA and malicious actor to violate that chain of > trust in a way that can't be detected and acted on.
Do you know which extensions add this?
