[liberationtech] W3C WebCrypto Last Call for Comments *today*
Griffin Boyce
griffin at cryptolab.net
Tue May 20 09:10:58 PDT 2014
Ryan Sleevi wrote:
> Certificate pinning is one such way to mitigate this threat.
This is true. But....
There need to be more options for users/allies to solidify a
connection to a website other than relying on the webmaster to get their
cert pinned (which happens almost never). Yes, some sites have pinned
certificates, and lots of large consumer-facing websites have
certificate pinning in their long-term security goals. But for small
sites and most developers, pinning isn't even on their radar. And even
if the webmaster is knowledgeable about the subject, they may not have
the time/interest/inclination to go through the process for the top five
browsers.
And for those who use self-signed certs this isn't even a possibility.
> Regardless, its unreasonable to suggest we are responsible for
> developers who chose to use eval on untrusted code, who choose not to
> use CSP, those who introduce XSS, and likewise, those who fail to use
> pinning. These are all complimentary tools in the developer's toolbox.
Now this I definitely agree with =)
~Griffin
More information about the liberationtech
mailing list