On Mon, Oct 8, 2012 at 9:25 AM, Mark H. Wood <mw...@iupui.edu> wrote: > On Mon, Oct 08, 2012 at 07:42:04AM +0000, Marco Molteni (mmolteni) wrote: >> try searching for "certificate pinning". If you are familiar with ssh, it >> is the same concept of the StrictHostKeyChecking option (although >> obviously SSH and TLS are completely distinct protocols and by default SSH >> doesn't use X.509 certs). >> >> The idea is: with a standard TLS connection, acting as TLS client, you >> connect to an host for the first time and you receive its certificate. The >> standard TLS verifications are successful (meaning: the certificate really >> belongs to the host and it has been issued by a CA you trust). When the >> connection is closed, a normal TLS client will forget the certificate. >> >> On the other hand, certificate pinning remembers the certificate. Pinning >> means storing locally such certificate and associate it to the hostname >> you connected to. If the next time you connect the certificate has >> changed, a system supporting certificate pinning will warn you. > > I believe this is what the Certificate Patrol plugin for Firefox is > doing, if you want to see it in action. This plug-in pins certificates (not public keys), and creates a lot of spurious noise on some sites (for example, Google and Gmail). It desensitizes the user.
I've been running experiments on Google and Gmail for the last couple of years. If you are pinning for those sites, you definitely want to pin public keys. Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
