[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
ArkanoiD
ark at eltex.net
Wed Sep 7 01:38:11 PDT 2011
Please keep in mind that there are good reasons for SSL MITM in corporate environment.
So there should be possibility to move pinning from the browser to the proxy.
Hardcoding anything will ceratinly break it.
On Tue, Sep 06, 2011 at 04:44:41PM -0400, Adam Langley wrote:
> On Mon, Sep 5, 2011 at 7:35 PM, Ian G <iang at iang.org> wrote:
> > Just a question of understanding: how is the CA pinning information
> > delivered to the browser?
> >
> > (For those who don't know, I also had to look it up too :) CA pinning is
> > where a particular CA is the only one permitted to issue certs for a
> > website. I think, it's a very new feature, in some browsers only?)
>
> I believe that only Chrome does pinning and, in that case, the pins
> are built into the browser binary.
>
> Built-in pinning is a crappy, dangerous solution that's only possible
> in Chrome because we have great update rates. In the event of a
> problem we can push a change out very quickly and be assured that
> nearly everyone gets it.
>
> However, pinning without that update system is just storing up
> problems for the future. (If anyone starts pinning Google's certs I'm
> going to get really mad at you because, at some point in the future,
> it's likely that we'll change something and break your users.)
>
> We may also support pinning via HSTS headers in the future. (In short,
> you specify pins in an HTTP header over HTTPS and the browser
> remembers it.) It's also a foot cannon, but we're considering it.
>
>
> Cheers
>
> AGL
>
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com
>
>
More information about the Observatory
mailing list