[guardian-dev] Gibberbot TLS pinning (+other apps?)
Tom Ritter
tom at ritter.vg
Sun Nov 11 16:20:13 EST 2012
On 19 October 2012 10:20, Abel Luck <abel at guardianproject.info> wrote:
> A possible solution isn't to TOFU the leaf cert, but some higher level
> cert in the chain. So you TOFU google's CA cert, and ensure all
> subsequent connections chain up to that cert.
>
> We should investigate which providers do what, then detect and provide
> sensible defaults for those providers.
If you look at http://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security_state_static.json?view=markup
you should get a decent idea of how many people want to pin, but use
more than one CA. The big guy is Twitter.
Also, while investigating this, I came across an interesting behavior
by Google: pinning to a CA, but explicitly disallowing certain
Intermediates. I wrote it up here:
http://ritter.vg/blog-cas_and_pinning.html
-tom
More information about the Guardian-dev
mailing list