Geekspeak I don't understand
zenadsl6186 at zen.co.uk
Thu May 14 22:01:03 BST 2015
On 14/05/15 18:23, Alan Braggins wrote:
> On 13 May 2015 at 23:10, Jon Ribbens <jon+ukcrypto at unequivocal.co.uk> wrote:
>> Although, now I think about it, I seem to recall that
>> this kind of certificate pinning tends to have a deliberate exception
>> in it for locally-added certificates.
> Certainly Chrome has - I haven't checked Firefox
Yes, Firefox too - in Firefox the default value of 1 for the preference
security.cert_pinning.enforcement_level allows locally-added certificates.
There is a list of pinnings which are on by default - they come with the
browser. They typically include TOR, Twitter, Google, Microsoft, some
Mozilla and Firefox sites- but not Facebook. So far this seems to work
Pinnings can include more than one CA, which is good.
The problems start when pinnings for new sites are dynamically added to
"Something is Broken, and we Think it's Pinning"
-- Peter F
More information about the ukcrypto