On Sat, Feb 27, 2016 at 5:40 PM, Rubens Kuhl <rubensk@gmail.com> wrote:
Since many commonly used web properties are moving to HSTS + HPKP + CT it will become increasingly difficult to balance performance and security in high latency connections, but when it comes to a payment gateway, that airline should probably turn off acceleration for paypal.com and 3-D Secure bank pages.
Paypal's certificate is not pinned in Chrome/Firefox. imo a hard error is desirable in this kind of scenario. https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security... https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#New_sites_pi... FWIW Southwest uses Row 44 (GEE Media) for inflight wifi. http://www.geemedia.com/products/connectivity