Geekspeak I don't understand

Peter Fairbrother zenadsl6186 at
Thu May 14 22:01:03 BST 2015

On 14/05/15 18:23, Alan Braggins wrote:
> On 13 May 2015 at 23:10, Jon Ribbens <jon+ukcrypto at> wrote:
>> Although, now I think about it, I seem to recall that
>> this kind of certificate pinning tends to have a deliberate exception
>> in it for locally-added certificates.
> Certainly Chrome has - I haven't checked Firefox

Yes, Firefox too - in Firefox the default value of 1 for the preference 
security.cert_pinning.enforcement_level allows locally-added certificates.

There is a list of pinnings which are on by default - they come with the 
browser. They typically include TOR, Twitter, Google, Microsoft, some 
Mozilla and Firefox sites- but not Facebook. So far this seems to work 
well enough.

Pinnings can include more than one CA, which is good.

The problems start when pinnings for new sites are dynamically added to 
the list.

Quote from 

"Something is Broken, and we Think it's Pinning"

-- Peter F

More information about the ukcrypto mailing list