- From: Griffin Boyce <griffin@cryptolab.net>
- Date: Tue, 20 May 2014 12:10:58 -0400
- To: liberationtech <liberationtech@lists.stanford.edu>
- Cc: Ryan Sleevi <sleevi@google.com>, Public-webcrypto Comments <public-webcrypto-comments@w3.org>, carlo von lynX <lynX@time.to.get.psyced.org>
Ryan Sleevi wrote: > Certificate pinning is one such way to mitigate this threat. This is true. But.... There need to be more options for users/allies to solidify a connection to a website other than relying on the webmaster to get their cert pinned (which happens almost never). Yes, some sites have pinned certificates, and lots of large consumer-facing websites have certificate pinning in their long-term security goals. But for small sites and most developers, pinning isn't even on their radar. And even if the webmaster is knowledgeable about the subject, they may not have the time/interest/inclination to go through the process for the top five browsers. And for those who use self-signed certs this isn't even a possibility. > Regardless, its unreasonable to suggest we are responsible for > developers who chose to use eval on untrusted code, who choose not to > use CSP, those who introduce XSS, and likewise, those who fail to use > pinning. These are all complimentary tools in the developer's toolbox. Now this I definitely agree with =) ~Griffin
Received on Tuesday, 20 May 2014 17:25:14 UTC