nanog mailing list archives
Re: Gmail and SSL
From: Steven Bellovin <smb () cs columbia edu>
Date: Wed, 2 Jan 2013 19:29:05 -0500
On Jan 2, 2013, at 7:15 PM, Randy Bush <randy () psg com> wrote:
Do you run Cert Patrol (a Firefox extension) in your browser?yes, but my main browser is chrome (ff does poorly with nine windows and 60+ tabs). there is some sort of pinning, or at least discussion of it. but it is not clear what is actually provided. and i don't see evidence of churn reporting.
Google uses certificate pinning for a very, very few sites. From http://blog.chromium.org/2011/06/new-chromium-security-features-june.html : In addition in Chromium 13, only a very small subset of CAs have the authority to vouch for Gmail (and the Google Accounts login page). You can turn it on for other sites but: Advanced users can enable stronger security for some web sites by visiting the network internals page: chrome://net-internals/#hsts You can now force HTTPS for any domain you want, and even “pin” that domain so that only a more trusted subset of CAs are permitted to identify that domain. _It’s an exciting feature but we’d like to warn that it’s easy to break things! We recommend that only experts experiment with net internals settings._ Emphasis theirs. The only Chrome browser I have lying around right now is on a Nexus 7 tablet; I don't see any way to list the pinned certs from the browser. There is a list at http://www.chromium.org/administrators/policy-list-3, and while I don't know how current it is you'll notice a decided dearth of interesting sites with the exceptions of paypal.com and lastpass.com. --Steve Bellovin, https://www.cs.columbia.edu/~smb
Current thread:
- Re: Gmail and SSL, (continued)
- Re: Gmail and SSL Keith Medcalf (Jan 01)
- Re: Gmail and SSL Christopher Morrow (Jan 01)
- Re: Gmail and SSL Matthew Palmer (Jan 01)
- Re: Gmail and SSL Mike Jones (Jan 01)
- Re: Gmail and SSL Jimmy Hess (Jan 02)
- Re: Gmail and SSL Scott Howard (Jan 01)
- Re: Gmail and SSL Keith Medcalf (Jan 01)
- Re: Gmail and SSL Valdis . Kletnieks (Jan 02)
- Re: Gmail and SSL Steven Bellovin (Jan 02)
- Re: Gmail and SSL Randy Bush (Jan 02)
- Re: Gmail and SSL Steven Bellovin (Jan 02)
- Re: Gmail and SSL Seth David Schoen (Jan 02)
- Re: Gmail and SSL Steven Bellovin (Jan 02)
- Re: Gmail and SSL Jimmy Hess (Jan 02)
- Re: Gmail and SSL Steven Bellovin (Jan 02)
- Re: Gmail and SSL Keith Medcalf (Jan 01)
- Re: Gmail and SSL Christopher Morrow (Jan 02)
- Re: Gmail and SSL William Herrin (Jan 02)
- Re: Gmail and SSL George Herbert (Jan 02)
- Re: Gmail and SSL William Herrin (Jan 02)
- Re: Gmail and SSL John R. Levine (Jan 02)
- Re: Gmail and SSL William Herrin (Jan 02)