On 09/01/2014 01:19 PM, Antony Stone wrote:

Starting with FF 32, it's on by default, so you don't have to do anything. The
pinning level is enforced by a pref, security.cert_pinning.enforcement_level

  0. Pinning disabled
  1. Allow User MITM (pinning not enforced if the trust anchor is a user
inserted CA, default)
  2. Strict. Pinning is always enforced.
  3. Enforce test mode.

That seems to me to say that if the root of the certificate chain is a user-
added cert, pinning will not be enforced, therefore the user isn't affected?

Hey Antony,

It means that if the user will disable the Pinning check it will work.
I assume they will choose option 2 of the 4 but it's different from chrome which do not allow you to disable the pinning at all for google.com.


Reply via email to