Re: [TLS] fyi: paper on compelled, certificate creation attack and applicable appliance

Adam Langley <> Thu, 25 March 2010 17:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B82703A6B8C; Thu, 25 Mar 2010 10:58:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.988
X-Spam-Status: No, score=-102.988 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, DNS_FROM_OPENWHOIS=1.13, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6RVCHAURkW1f; Thu, 25 Mar 2010 10:58:17 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id BA6E63A6C1D; Thu, 25 Mar 2010 10:57:28 -0700 (PDT)
Received: from ( []) by with ESMTP id o2PHvnh5012932; Thu, 25 Mar 2010 10:57:49 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;; s=beta; t=1269539870; bh=FwOPz6WbCbR6Xo7YG8epsvRhPvE=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=CJ3JYvCMRMXgUIsjCZb2TwJw4iHID8Nae2+tdym3jJZgewidyGGtzJx9A9jubAj/c yDmUVPBUHm2dcW6tduSMQ==
DomainKey-Signature: a=rsa-sha1; s=beta;; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=LhnqiDSFlaP7NygiEF4WS9da5oSTv6fI3A9GAKlB8giP2YJoTpzNk1pzzMnwWzeFE NZwgQftqpa+2htQ5B5+GA==
Received: from iwn17 ( []) by with ESMTP id o2PHvkNe026860; Thu, 25 Mar 2010 10:57:48 -0700
Received: by iwn17 with SMTP id 17so4134897iwn.19 for <multiple recipients>; Thu, 25 Mar 2010 10:57:48 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id r16mr503549iby.57.1269539867803; Thu, 25 Mar 2010 10:57:47 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Thu, 25 Mar 2010 13:57:47 -0400
Message-ID: <>
From: Adam Langley <>
To: Yoav Nir <>
Content-Type: text/plain; charset=UTF-8
X-System-Of-Record: true
Cc: "" <>, "" <>, "" <>
Subject: Re: [TLS] fyi: paper on compelled, certificate creation attack and applicable appliance
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Mar 2010 17:58:18 -0000

On Wed, Mar 24, 2010 at 10:22 PM, Yoav Nir <> wrote:
> or

I haven't mentioned this on the list yet, and it's not an answer to
the problems in this papers, but we are actively welcoming entries on
the Preloaded STS list. If you know someone who runs a major HTTPS
site, please mention it.

Preloaded STS sites

There is still a window where a user who has a fresh install, or who
wipes out their local state, is vulnerable. Because of that, we'll be
starting a "Preloaded STS" list. These domains will be configured for
STS out of the box. In the beginning, this will be hardcoded into the
binary. As it (hopefully) grows, it can change into a list this is
shared across browsers, like the safe-browsing database is today.

If you own a site that you would like to see included in the preloaded
STS list, contact

Current members of the preloaded STS list: