Hacker News new | comments | show | ask | jobs | submit login

Or you could just harcode the certificate fingerprint and refuse to accept anything else. It's trivial when you own the client.

I'm not sure if this would break when you needed to renew the certificate, but I guess you only update the signature, not the actual public key.

But if China is already MITM, they can modify or replace the binary while you are downloading it.

Yep. In that case, you don't own the client.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact