Geekspeak I don't understand
Peter Fairbrother
zenadsl6186 at zen.co.uk
Thu May 14 22:01:03 BST 2015
On 14/05/15 18:23, Alan Braggins wrote:
> On 13 May 2015 at 23:10, Jon Ribbens <jon+ukcrypto at unequivocal.co.uk> wrote:
>> Although, now I think about it, I seem to recall that
>> this kind of certificate pinning tends to have a deliberate exception
>> in it for locally-added certificates.
>
> Certainly Chrome has - I haven't checked Firefox
> https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state.cc&l=135
Yes, Firefox too - in Firefox the default value of 1 for the preference
security.cert_pinning.enforcement_level allows locally-added certificates.
https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
There is a list of pinnings which are on by default - they come with the
browser. They typically include TOR, Twitter, Google, Microsoft, some
Mozilla and Firefox sites- but not Facebook. So far this seems to work
well enough.
Pinnings can include more than one CA, which is good.
The problems start when pinnings for new sites are dynamically added to
the list.
Quote from
https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning/Implementation_Details
:
"Something is Broken, and we Think it's Pinning"
-- Peter F
More information about the ukcrypto
mailing list