IETF Logo Mail Archive

Re: [websec] Certificate Pinning via HSTS (.txt version)

davidillsley@gmail.com Tue, 13 September 2011 22:36 UTC

Return-Path: <davidillsley@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE84E21F88B6 for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 15:36:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JnmT4-WhNmLH for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 15:36:38 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id F18E321F8888 for <websec@ietf.org>; Tue, 13 Sep 2011 15:36:37 -0700 (PDT)
Received: by wyg24 with SMTP id 24so1069095wyg.31 for <websec@ietf.org>; Tue, 13 Sep 2011 15:38:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=UvrHXb7WOIw2+C+83ec3O2LP8TTNQ/Q8Accjsa9L2Ww=; b=QkHQbmfEbg02eMuhPVX2jDyTTXAz19htON1VdsXN4WxwTuoaCeNFVeceMpjO7Rm6m7 bCwYwtdK3ztEbvQXHJsh7QAPzrYkZKbiEcuXQvpFC/tEZp6TciVPy1Wi5VL7oJGzgg8G 1LuVu5BJwxWIkbMw4Mf+GDKzO0sq2xycO+7gg=
Received: by 10.227.198.18 with SMTP id em18mr3259166wbb.25.1315953524699; Tue, 13 Sep 2011 15:38:44 -0700 (PDT)
Received: from unknown-04-0c-ce-d5-9a-fe.config (87-194-130-80.bethere.co.uk. [87.194.130.80]) by mx.google.com with ESMTPS id ek13sm1996577wbb.23.2011.09.13.15.38.42 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 13 Sep 2011 15:38:42 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: multipart/alternative; boundary="Apple-Mail=_8E6319D2-5828-4CB4-B8D7-64EE8FDCE03C"
From: davidillsley@gmail.com
In-Reply-To: <4E6FD975.9010502@extendedsubset.com>
Date: Tue, 13 Sep 2011 23:38:41 +0100
Message-Id: <DCDD9449-2DA6-4293-A539-C778C288BF09@gmail.com>
References: <4E6E9B77.1020802@KingsMountain.com> <4E6F9DC6.2080006@stpeter.im> <FA8A58ED-DD2B-446B-9F01-9D1D25140569@checkpoint.com> <4E6FB7CB.3020309@extendedsubset.com> <CAOuvq20H+pG1AF0u-=-Ow9oR=uGRb-wDwrFE6dPmT=HbvnO6VA@mail.gmail.com> <6D3E0CA6-E990-4D89-9AEE-C03066D0656E@gmail.com> <4E6FD975.9010502@extendedsubset.com>
To: Marsh Ray <marsh@extendedsubset.com>
X-Mailer: Apple Mail (2.1244.3)
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Certificate Pinning via HSTS (.txt version)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 22:36:38 -0000

On 13 Sep 2011, at 23:30, Marsh Ray wrote:
> <snip>
> Wouldn't they have to acquire a valid cert first? Not saying that's out of the realm of possibility, but...

Yeah, but in the case that you've gained control of a domains DNS, which is what happened, how hard would it be to get a valid DV cert?

v2.23.0 | Report a Bug | By Email