On Dec 12, 2011, at 6:57 AM, Yoav Nir wrote: > Section 2.3 does say that pins must only be noted if they come over an > error-free HTTPS connection, where the chain contains the pinned SPKI. So the > MITM would have to be able to take over the DNS (at least for a while) as in > the attack described by David on 11-Dec.
I don't agree that the MITM must control the DNS for this attack to work. As long as the MITM can intercept the TLS handshake, and the client isn't doing OCSP (or the MITM intercepts that too), using a rogue cert works; thus the rogue pinning works as well. > Maybe we can mitigate this with a version of this header (or another one) > that says "no pins for the next x seconds" That still doesn't deal with the site that hears about the pinning header after the MITM does. > A year from now, "sha-256" is going to be ambiguous. Better to say "sha2-256". Good point, and one that might be made on the SAAG list as well. --Paul Hoffman _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
