IETF Logo Mail Archive

Re: [websec] Certificate Pinning via HSTS (.txt version)

"Steingruebl, Andy" <asteingruebl@paypal-inc.com> Tue, 13 September 2011 20:40 UTC

Return-Path: <asteingruebl@paypal-inc.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 273E911E80C9 for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 13:40:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.117
X-Spam-Level:
X-Spam-Status: No, score=-9.117 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id csAvedLTgOWv for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 13:40:15 -0700 (PDT)
Received: from den-mipot-002.corp.ebay.com (den-mipot-002.corp.ebay.com [216.113.175.153]) by ietfa.amsl.com (Postfix) with ESMTP id 850E611E80BB for <websec@ietf.org>; Tue, 13 Sep 2011 13:40:15 -0700 (PDT)
DomainKey-Signature: s=ppinc; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Date:Subject:Thread-Topic:Thread-Index:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:acceptlanguage: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=l7j9CoZIoQRJr3FScgb5XdNfS1SmAGeOuWepKpGQ7kY/6CGMgKUIgugC T+CCLuNV2VxeH+MsusqDx9RJJva2IDBXS5R8PJ/2Wj/BpMjfKqdxQ0ra4 7kcDJN+M1coHPzz;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=asteingruebl@paypal-inc.com; q=dns/txt; s=ppinc; t=1315946543; x=1347482543; h=from:to:cc:date:subject:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=jttAiALAPW3MBksOcDbvS73hferVFjbzv5pIb8iw1p4=; b=Lfr/Wqf6Lx5oYp5uE1iblWYFYuo/Y27BmMOW065p7fiyjyUDqHhmf+DY lWAMI6Yd03kPXFIpepMNNxMPGOpDLbWELyEOvPuYILT4pYvJuw0T+gZYe MOYjoe8K07ZjzNC;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.68,375,1312182000"; d="scan'208";a="3876492"
Received: from den-vtenf-002.corp.ebay.com (HELO DEN-MEXHT-002.corp.ebay.com) ([10.101.112.213]) by den-mipot-002.corp.ebay.com with ESMTP; 13 Sep 2011 13:42:22 -0700
Received: from DEN-MEXMS-001.corp.ebay.com ([10.241.16.225]) by DEN-MEXHT-002.corp.ebay.com ([10.241.17.53]) with mapi; Tue, 13 Sep 2011 14:42:22 -0600
From: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
To: Marsh Ray <marsh@extendedsubset.com>, Yoav Nir <ynir@checkpoint.com>
Date: Tue, 13 Sep 2011 14:42:21 -0600
Thread-Topic: [websec] Certificate Pinning via HSTS (.txt version)
Thread-Index: AcxyUL4PnQmGY4ETQHWeWUEo7RiAygABKO6w
Message-ID: <5EE049BA3C6538409BBE6F1760F328ABEBD6040B5A@DEN-MEXMS-001.corp.ebay.com>
References: <4E6E9B77.1020802@KingsMountain.com> <4E6F9DC6.2080006@stpeter.im> <FA8A58ED-DD2B-446B-9F01-9D1D25140569@checkpoint.com> <4E6FB7CB.3020309@extendedsubset.com>
In-Reply-To: <4E6FB7CB.3020309@extendedsubset.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A==
x-ems-stamp: iCZbWlMU6SG5XUwjF3GOeA==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Certificate Pinning via HSTS (.txt version)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 20:40:16 -0000

> -----Original Message-----
> From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On
> Behalf Of Marsh Ray
> 
> What if they maliciously pinned you to a floundering CA?

What is they compromised your DNS server and sent out bogus A records with a crazy long TTL?  

I think trying to make HSTS and TLS, protocols that rely on a private key staying secret, resilient completely against a key compromise, for all manner of attacks, simply isn't practical....

- Andy

v2.23.0 | Report a Bug | By Email