Re: [websec] Question on Pinning Overrides

Jeffrey Walton <> Sun, 19 October 2014 16:27 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 985D41A1C00 for <>; Sun, 19 Oct 2014 09:27:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Exdc4Svd094J for <>; Sun, 19 Oct 2014 09:27:31 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E15421A1BFC for <>; Sun, 19 Oct 2014 09:27:30 -0700 (PDT)
Received: by with SMTP id rp18so3274504iec.7 for <>; Sun, 19 Oct 2014 09:27:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=TD18FvCVHxPLIDQwIu0e5TLLMcAy8IHU7wfIrUy30Dk=; b=sky9AL+ZqMB4gpU8eYbnYfVqOG1BFDRKQPKQ/VRiTFF/JxxYYbcjFqSgZvc2qcjXl2 hx4JE1/uyPN7yB3tXRWfSXZKVNu70ZYsg4uqwpSpy7pPnJrgUN0i3Lp9hp/cU6CShXVJ nIMaN7NL23e3vUlyi9rcD+Zyr7cmCgo2kaB+GycFx7ppVML6MkgDhaSZ/E87xrx+QFdf eJzsHqbxECp6oCeBc/EqHUJO2OQRJUXJj+F6ujud8gd99P5r9e5bXEcCSwQNcybnIkNA yD/ndpOxdc8f3Vy8JEpJMTzc/P4paGQ3hHteTEBNeqgFnBIIcyHI9ftzKxBAp8W4GiGf X6kw==
MIME-Version: 1.0
X-Received: by with SMTP id ru7mr770947igb.32.1413736050209; Sun, 19 Oct 2014 09:27:30 -0700 (PDT)
Received: by with HTTP; Sun, 19 Oct 2014 09:27:30 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Sun, 19 Oct 2014 12:27:30 -0400
Message-ID: <>
From: Jeffrey Walton <>
To: Chris Palmer <>
Content-Type: text/plain; charset="UTF-8"
Cc: IETF WebSec WG <>
Subject: Re: [websec] Question on Pinning Overrides
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 19 Oct 2014 16:27:32 -0000

Hi Chris,

I've had a few days to think about this...

>> If correct, won't that break Chrome with respect to
>> (see section
>> "What about MITM proxies, Fiddler etc?")?
> Section 2.6:
> """ For example, a UA may disable Pin Validation for Pinned Hosts
> whose validated certificate chain terminates at a user-defined trust
> anchor, rather than a trust anchor built-in to the UA (or underlying
> platform)."""
> So that's how you make Fiddler work, among other things.

This is where I am concerned: user-defined. I thinks its a mistake to
claim the user defined anything under most circumstances and use
cases. Its not clear to me where the user makes a well informed

The uncommon case is the pen-tester or researcher using the proxy
tools. In this use case, the user clearly made the decision, and
clearly defined the trust anchor.

I think the more common cases of "I want to use my device at work" or
"I must click through the buttons to use the wifi hotspot" is devoid
of any user understanding and decision. In this use case, the user did
not define a trust anchor. Rather, it was surreptitiously installed by
the device management software or unscrupulous service providers.

In fact, the "user's decision" was likely hidden away in a Terms of
Service when Nokia was caught performing intercept en masse [0]. In
this case, the user clearly did not define anything. Rather, the
handset manufacture made the decision for the user.

Is there anything that can be done to address the gap?