On Mar 29, 2013, at 1:45 PM, Joseph Bonneau <[email protected]> wrote:
>> Hopefully, it's not just Google that implements this. I guess any browser >> that implements this will have some kind of reset button (like they have for >> other stuff) that will erase all pins. So the site is not really bricked, >> but still it's pretty embarrassing to have to have a message on their home >> page like "Chrome for Mac OS X users of foo.com, due to an administrative >> error, please select the 'Clear Browsing Data…' menu item from the Chrome >> menu, select 'the beginning of time' from the dropdown menu, and check the >> 'dynamic public key pins' box. Then click 'Clear browsing data'. Sorry for >> the inconvenience." > > Perhaps we have a different working definition of "bricked"? By > bricked, I meant that HPKP pins were set which the site no longer has > the ability to satisfy, period. There are many ways that this could > happen-pinning to two end-entity keys and losing the private keys, > attempting to pin to a CA key but entering the hash incorrectly, and > still having the pins accepted since the end-entity key pin is valid, > or a malicious bricking with a mis-issued certificate. In this case, a > bricked domain would be unable to show anything at all to users, so > they couldn't ask users to hit a "reset pins" button as you suggest. This assumes all these domains are also STS (H or not). If the site also has an HTTP server (like most are now), then that server can display the message. Perhaps there should be some website that lists bricked domains, perhaps maintained by the browser vendors or a consortium (CABF?). So when you get the HPKP error screen, you will not be able to click through, but you will be able to get the list of recently bricked domains. So if the site you were looking for is listed there, you would shake your head at their incompetence, and proceed to clear pins (or clear the specific pin if you're more security conscious). Of course, that site has to be strictly secure. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
