Comment by rwmj

2 days ago

In theory the client could validate a specific server with a pinned certificate, although TLS implementations can make this difficult to do in practice. TLS also lets you use client certificates to authenticate the client to the server, which could be a win in some situations (although also a PITA to set up).

4 comments

rwmj

Reply
naturalmovement  2 days ago

I can guarantee you with nearly 100% certainty that UEFI TLS clients are bound to be buggy garbage broken in not-insignificant ways.

  • nijave  2 days ago

    From the article, it's using OpenSSL in EDK II

    In fact, a whole section of the article is dedicated to talking about how they got tripped up by OpenSSL security level 3 rejecting 2048 bit RSA key

  • bigfatkitten  2 days ago

    The IP stack and HTTP clients are problematic enough without adding the enormous complexity of a TLS implementation on top.

    • naturalmovement  2 days ago

      They have a hard enough time managing the relatively few certificates for secure boot.

      You want me to believe all the various BIOS manufacturers are going to competently manage a WebPKI root certificate program?