[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Adam Langley
agl at google.com
Tue Sep 6 13:44:41 PDT 2011
On Mon, Sep 5, 2011 at 7:35 PM, Ian G <iang at iang.org> wrote:
> Just a question of understanding: how is the CA pinning information
> delivered to the browser?
>
> (For those who don't know, I also had to look it up too :) CA pinning is
> where a particular CA is the only one permitted to issue certs for a
> website. I think, it's a very new feature, in some browsers only?)
I believe that only Chrome does pinning and, in that case, the pins
are built into the browser binary.
Built-in pinning is a crappy, dangerous solution that's only possible
in Chrome because we have great update rates. In the event of a
problem we can push a change out very quickly and be assured that
nearly everyone gets it.
However, pinning without that update system is just storing up
problems for the future. (If anyone starts pinning Google's certs I'm
going to get really mad at you because, at some point in the future,
it's likely that we'll change something and break your users.)
We may also support pinning via HSTS headers in the future. (In short,
you specify pins in an HTTP header over HTTPS and the browser
remembers it.) It's also a foot cannon, but we're considering it.
Cheers
AGL
More information about the Observatory
mailing list