> In general it looks like it's a mixture of "it's configurable" and "it depends > on the vendor" (the above only tells you what Bluecoat do). Interesting to > note that the Bluecoat hardware has problems MITM-ing Windows Update, because > Microsoft apply the quite sensible measure of only allowing something signed > by a known Windows Update cert (or at least on a Microsoft-supplied trust > list), rather than any old cert that turns up as long as it's signed by some > CA somewhere. I've heard of a similar approach proposed for smartphone mobile > banking apps, you hardcode in a cert that's used to verify a whitelist of > known-good certs for banks (more or less like Microsoft's CTLs), and then it > doesn't matter what certs the CAs sign because if it's not on the CTL then it > doesn't get trusted.
Sounds similar to the mechanism which allowed detection of the DigiNotar breach by Chrome: http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html Two major players using certificate pinning to provide additional security where CAs let us down. There may just be a lesson in there ... -C _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
