Apologies for the slow reply.
One for the record books; I agree with timeless!
On Sun, Jun 14, 2015 at 11:03 AM, timeless <timeless@gmail.com> wrote:
> For the record (since I'm reading this months after the thread and
> have time to review links)
>
> Philip Jägenstedt wrote:
> > Do you find it inappropriate that the Yandex Browser is currently
> > unable to connect to https://crypto.cat/ and https://tv.eurosport.com/
> > (demo site) with no apparent option for ignoring the problem?
>
> I don't, apparently they "committed pinning-suicide" [1]:
> >> Clients deciding that “pinning is good” have caused headaches at Google.
> >> It's also worth noting that CryptoCat has committed pinning-suicide in
> >> Chrome at at the moment due to their CA having switched intermediates
> >> between renewals. They're waiting for the release of Chrome 41 to
> recover.
>
> An entity using a feature and messing up deserves what it gets.
>
> > If not, you're already OK with browser vendors making such decisions,
>
> Nope, CryptoCat made the decision on its own, you have to *ask* for
> this pinning, and they clearly asked Google for it.
>
> > and merely disagree about the cases in which it should be possible to
> > ignore the certificate error.
>
> Again, CryptoCat asked for pinning. Pinning means "Dear Browser, do
> not trust *any* certificate from *any* CA other than this one {}, I
> entity promise that I will not deploy a certificate for my server from
> any CA that isn't this one {}, and any time you encounter a
> certificate for a server portending to be mine but issued from some
> other CA, you can be assured that it is an impersonation attempt."
>
> Google Chrome, and Yandex are honoring the declaration that CryptoCat made.
>
> [1] https://www.imperialviolet.org/2015/01/17/notdane.html
>
>