IETF Logo Mail Archive

Re: [websec] Certificate Pinning via HSTS (.txt version)

Yoav Nir <ynir@checkpoint.com> Wed, 14 September 2011 06:15 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A6FD21F8C9A for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 23:15:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.386
X-Spam-Level:
X-Spam-Status: No, score=-10.386 tagged_above=-999 required=5 tests=[AWL=0.213, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avyxFWmR8cCR for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 23:15:56 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 6CB2821F8C12 for <websec@ietf.org>; Tue, 13 Sep 2011 23:15:56 -0700 (PDT)
X-CheckPoint: {4E705440-22-1B221DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id p8E6HvMT032332; Wed, 14 Sep 2011 09:17:58 +0300
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Wed, 14 Sep 2011 09:17:57 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: SM <sm@resistor.net>
Date: Wed, 14 Sep 2011 09:17:57 +0300
Thread-Topic: [websec] Certificate Pinning via HSTS (.txt version)
Thread-Index: AcxypgtRp9M0lsEJRVKxt1ce4bvg8Q==
Message-ID: <05C4445E-96F3-4CB6-979A-E0C576C35DE2@checkpoint.com>
References: <4E6E9B77.1020802@KingsMountain.com> <4E6F9DC6.2080006@stpeter.im> <FA8A58ED-DD2B-446B-9F01-9D1D25140569@checkpoint.com> <6.2.5.6.2.20110913153237.0851f630@resistor.net>
In-Reply-To: <6.2.5.6.2.20110913153237.0851f630@resistor.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Certificate Pinning via HSTS (.txt version)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2011 06:15:57 -0000

On Sep 14, 2011, at 2:06 AM, SM wrote:

> Hi Yoav,
> At 11:41 13-09-2011, Yoav Nir wrote:
>> Six months ago we would not have thought that Comodo or DigiNotar 
>> were easy to hack. In the latter case, the customers of DigiNotar 
>> were left out in the cold. Without
> 
>   "The DigiNotar partnership has laid down its security policy in 
> action protocols
>    and technical protocols. For safety reasons, these documents are 
> not publicly
>    available, which means that they are unavailable for inspection."
> 
>   "A regular audit is performed by an independent external auditor to
>    assess Comodo's compliance with the AICPA/CICA WebTrust program for
>    Certification Authorities."
> 
> People get sloppy.  Businesses get complacent.  At the end of the 
> day, it is a business decision.
> 

It's all legalese to me. I can read 180 such statements (for the 180 root CAs in Microsoft's store) and not get a sense of which one is safe enough for me. 

I don't think the average site administrator (or whoever it is who buys certificates in your organization) has better information. Besides, they tend not to put too much thought into such a small expenditure.

v2.23.0 | Report a Bug | By Email