[159259] in North American Network Operators' Group
Re: Gmail and SSL
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Wed Jan 2 19:29:14 2013
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <m2y5gb9l5u.wl%randy@psg.com>
Date: Wed, 2 Jan 2013 19:29:05 -0500
To: Randy Bush <randy@psg.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 2, 2013, at 7:15 PM, Randy Bush <randy@psg.com> wrote:
>> Do you run Cert Patrol (a Firefox extension) in your browser?
>=20
> yes, but my main browser is chrome (ff does poorly with nine windows =
and
> 60+ tabs). there is some sort of pinning, or at least discussion of =
it.
> but it is not clear what is actually provided. and i don't see =
evidence
> of churn reporting.
>=20
Google uses certificate pinning for a very, very few sites. =46rom =
http://blog.chromium.org/2011/06/new-chromium-security-features-june.html =
:
In addition in Chromium 13, only a very small subset of CAs have =
the=20
authority to vouch for Gmail (and the Google Accounts login =
page).
You can turn it on for other sites but:
Advanced users can enable stronger security for some web sites =
by=20
visiting the network internals page: =
chrome://net-internals/#hsts
You can now force HTTPS for any domain you want, and even =93pin=94=
that=20
domain so that only a more trusted subset of CAs are permitted =
to
identify that domain.
_It=92s an exciting feature but we=92d like to warn that it=92s =
easy to break=20
things! We recommend that only experts experiment with net =
internals=20
settings._
Emphasis theirs. =20
The only Chrome browser I have lying around right now is on a Nexus 7 =
tablet;
I don't see any way to list the pinned certs from the browser. There is =
a
list at http://www.chromium.org/administrators/policy-list-3, and while =
I
don't know how current it is you'll notice a decided dearth of =
interesting
sites with the exceptions of paypal.com and lastpass.com.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
