[159270] in North American Network Operators' Group
Re: Gmail and SSL
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Wed Jan 2 21:12:39 2013
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <20130103012515.GI24733@frotz.zork.net>
Date: Wed, 2 Jan 2013 21:12:27 -0500
To: Seth David Schoen <schoen@loyalty.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 2, 2013, at 8:25 PM, Seth David Schoen <schoen@loyalty.org> =
wrote:
> Steven Bellovin writes:
>=20
>> The only Chrome browser I have lying around right now is on a Nexus 7 =
tablet;
>> I don't see any way to list the pinned certs from the browser. There =
is a
>> list at http://www.chromium.org/administrators/policy-list-3, and =
while I
>> don't know how current it is you'll notice a decided dearth of =
interesting
>> sites with the exceptions of paypal.com and lastpass.com.
>=20
> You can see the current list of cert pins and HSTS preloads in the =
Chromium
> source tree at
>=20
> =
https://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_securi=
ty_state_static.h?view=3Dmarkup
>=20
> or
>=20
> =
https://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_securi=
ty_state_static.json?view=3Dmarkup
Thanks. The list is longer, but with the exception of Twitter (and =
possibly intuit -- a subdomain
is shown), not a lot more interesting. I don't see major banks, I don't =
see Facebook or Hotmail,
I don't see the big CAs, etc.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
