[cabfpub] [EXTERNAL] Brazilian bank DNS heist
Ryan Sleevi
sleevi at google.com
Fri Apr 7 14:16:32 UTC 2017
On Fri, Apr 7, 2017 at 9:27 AM, Bruce Morton <
Bruce.Morton at entrustdatacard.com> wrote:
> Sorry I missed that, but isn’t pinning high risk? I don’t think that any
> CA would recommend pinning as it is unsupportable; we can’t do anything
> when it fails. I think Subscribers should review pinning before deploying,
> https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead
> .
>
For what it's worth, many of the complaints in that blog relate to CAs lack
of disclosure related to their infrastructure - that's what creates the
risks. So if CAs were more technically savvy, and worked to help understand
their customers needs, it's very much viable.
> I think the value of EV is that those certificates are not issued to
> attackers. So it would be great if a Subscriber could state that their site
> only uses EV and that the browser respected that statement.
>
And customers have that capability - if CAs, particularly their CA, is
technically capable and/or transparent. The browser manufacturers have
already give you that capability, if you chose to use it.
> I also think that this statement might be better to be put in the HSTS
> header. HSTS is low risk, EV is highly available and stating EV-only would
> be applicable to most CAs. This allows the Subscriber to move from one CA
> to another without bricking their site by pinning to a root or intermediate.
>
I disagree, and was pointing out how you can already accomplish this
without requiring new features that accomplish the same as existing
features =)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170407/ef28dd42/attachment-0003.html>
More information about the Public
mailing list