Hi All/Nick. According to About Jelly Bean (http://developer.android.com/about/versions/jelly-bean.html), libcore SSL supports pinning:
"Certificate Pinning — The libcore SSL implementation now supports certificate pinning. Pinned domains will receive a certificate validation failure if the certificate does not chain to a set of expected certificates. This protects against possible compromise of Certificate Authorities." I know it tells me certificate pinning, but is that public key pinning? I've been running tests on encrypted.google.com and gmail.com for the last 18 months or so. Google rotates its certificates regularly, but the underlying public key is static. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
