Geekspeak I don't understand
Peter Sommer
peter at pmsommer.com
Wed May 13 07:25:53 BST 2015
From the Mozilla wiki:
Public Key Pinning is a mechanism for sites to specify which certificate
authorities have issued valid certs for that site, and for user-agents
to reject TLS connections to those sites if the certificate is not
issued by a known-good CA. Public key pinning prevents man-in-the-middle
attacks due to rogue CAs not on the site's list (see the Diginotar
attack which Chrome detected and we did not:
The feature binds a set of hashes public keys to a domain name such that
when connecting to a site using TLS the browser ensures that there is an
intersection between the public keys in the computed trust chain and the
set of fingerprints associated with that domain. This check is done
during the certificate verification phase of the connection, before any
data is sent or processed by the browser. In particular we are pinning
the sha256 digest of the der encoded subject public key info. In order
to reduce rejections, Firefox computes all potential trust chains before
deciding that are no valid pins.
https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
But it's interesting that this affects Facebook....
Peter Sommer
On 12/05/2015 21:02, Roland Perry wrote:
> Can anyone tell me what this really means, and what might have gone
> wrong, or what's amiss in 'my setup'?
>
> "An error occurred during a connection to www.facebook.com. The server
> uses key pinning (HPKP) but no trusted certificate chain could be
> constructed that matches the pinset. Key pinning violations cannot be
> overridden. (Error code: mozilla_pkix_error_key_pinning_failure)
>
> The page you are trying to view cannot be shown because the
> authenticity of the received data could not be verified.
>
> Please contact the website owners to inform them of this problem."
---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com
More information about the ukcrypto
mailing list