Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] W3C WebCrypto Last Call for Comments *today*

Griffin Boyce griffin at cryptolab.net
Tue May 20 09:10:58 PDT 2014


Ryan Sleevi wrote:

> Certificate pinning is one such way to mitigate this threat.

   This is true. But....

   There need to be more options for users/allies to solidify a 
connection to a website other than relying on the webmaster to get their 
cert pinned (which happens almost never).  Yes, some sites have pinned 
certificates, and lots of large consumer-facing websites have 
certificate pinning in their long-term security goals.  But for small 
sites and most developers, pinning isn't even on their radar.  And even 
if the webmaster is knowledgeable about the subject, they may not have 
the time/interest/inclination to go through the process for the top five 
browsers.

   And for those who use self-signed certs this isn't even a possibility.

> Regardless, its unreasonable to suggest we are responsible for
> developers who chose to use eval on untrusted code, who choose not to
> use CSP, those who introduce XSS, and likewise, those who fail to use
> pinning. These are all complimentary tools in the developer's toolbox.

   Now this I definitely agree with =)

~Griffin



More information about the liberationtech mailing list