Re: [websec] Certificate Pinning via HSTS (.txt version)

Marsh Ray <> Tue, 13 September 2011 20:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5A50E11E810C for <>; Tue, 13 Sep 2011 13:04:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.572
X-Spam-Status: No, score=-2.572 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sFDgXDwvnQH9 for <>; Tue, 13 Sep 2011 13:04:31 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E437E11E8107 for <>; Tue, 13 Sep 2011 13:04:30 -0700 (PDT)
Received: from ([]) by with esmtpa (Exim 4.72) (envelope-from <>) id 1R3ZFd-0005G8-MZ; Tue, 13 Sep 2011 20:06:37 +0000
Received: from [] (localhost []) by (Postfix) with ESMTP id 44827606E; Tue, 13 Sep 2011 20:06:33 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Report-Abuse-To: (see for abuse reporting information)
X-MHO-User: U2FsdGVkX1/y9afiTTEnirzRZoGOFFDwzFT7zwQ1L5I=
Message-ID: <>
Date: Tue, 13 Sep 2011 15:06:35 -0500
From: Marsh Ray <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20110831 Thunderbird/3.1.13
MIME-Version: 1.0
To: Yoav Nir <>
References: <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: IETF WebSec WG <>
Subject: Re: [websec] Certificate Pinning via HSTS (.txt version)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 Sep 2011 20:04:33 -0000

Just thinking out loud here.

On 09/13/2011 01:41 PM, Yoav Nir wrote:
> Locking yourself into a CA like that seems like a bad idea. Unlike
> the Dutch government and Mozilla, most customers do not have the pull
> to force CAs to submit to audits.

Or not, like the Dutch government, have the pull to convince Mozilla to 
hesitate for a few days to revoke your pwned CA.

> Six months ago we would not have thought that Comodo or DigiNotar
> were easy to hack. In the latter case, the customers of DigiNotar
> were left out in the cold. Without certificate pinning, they just
> need to spend money on a new certificate and their site is working
> again. With it, they are in trouble.

When would locking yourself into a keypair be any more sensible?

PKI has long history of uncounted thousands of revoked certs, most 
probably for mundane reasons. But a large number of critical cases are 
certainly due to the webserver and private key getting pwned (like

What if attacker pwned your web server and configured it to broadcast 
HSTS for a few days, pinning you to the keypair of which they now know 
the private key?

What if they maliciously pinned you to a floundering CA?

Google is one thing, they have their own CA and even their own web browser.

Q: What kind of pinning would we recommend to our friend or family 
member who runs his business on the web?
Right now he has his domain registration and cert from GoDaddy.

- Marsh