On Tue, May 20, 2014 at 9:10 AM, Griffin Boyce <griffin@cryptolab.net>wrote:
> Ryan Sleevi wrote:
>
> Certificate pinning is one such way to mitigate this threat.
>>
>
> This is true. But....
>
> There need to be more options for users/allies to solidify a connection
> to a website other than relying on the webmaster to get their cert pinned
> (which happens almost never). Yes, some sites have pinned certificates,
> and lots of large consumer-facing websites have certificate pinning in
> their long-term security goals. But for small sites and most developers,
> pinning isn't even on their radar. And even if the webmaster is
> knowledgeable about the subject, they may not have the
> time/interest/inclination to go through the process for the top five
> browsers.
>
> And for those who use self-signed certs this isn't even a possibility.
Thank you for your feedback. However, such feedback is generally out of
scope for this WG.
This WG is chartered to deliver an API using the existing Web Security
model. That is, presupposing that it offers sufficient flexibility for
authors to meet their security requirements, what are the set of primitives
and capabilities needed for robust web applications.
Discussions about changes to the web security model, including improvements
or alternatives to solutions like certificate pinning, are best brought to
the W3C's Web App Sec WG - http://www.w3.org/2011/webappsec/
>
>
> Regardless, its unreasonable to suggest we are responsible for
>> developers who chose to use eval on untrusted code, who choose not to
>> use CSP, those who introduce XSS, and likewise, those who fail to use
>> pinning. These are all complimentary tools in the developer's toolbox.
>>
>
> Now this I definitely agree with =)
>
> ~Griffin
>