On Mon, Oct 08, 2012 at 07:42:04AM +0000, Marco Molteni (mmolteni) wrote: > try searching for "certificate pinning". If you are familiar with ssh, it > is the same concept of the StrictHostKeyChecking option (although > obviously SSH and TLS are completely distinct protocols and by default SSH > doesn't use X.509 certs). > > The idea is: with a standard TLS connection, acting as TLS client, you > connect to an host for the first time and you receive its certificate. The > standard TLS verifications are successful (meaning: the certificate really > belongs to the host and it has been issued by a CA you trust). When the > connection is closed, a normal TLS client will forget the certificate. > > On the other hand, certificate pinning remembers the certificate. Pinning > means storing locally such certificate and associate it to the hostname > you connected to. If the next time you connect the certificate has > changed, a system supporting certificate pinning will warn you.
I believe this is what the Certificate Patrol plugin for Firefox is doing, if you want to see it in action. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart.
pgpbBheOvp6Xv.pgp
Description: PGP signature
