[cabfpub] [EXTERNAL] Brazilian bank DNS heist

Ryan Sleevi sleevi at google.com
Fri Apr 7 14:16:32 UTC 2017

On Fri, Apr 7, 2017 at 9:27 AM, Bruce Morton <
Bruce.Morton at entrustdatacard.com> wrote:

> Sorry I missed that, but isn’t pinning high risk? I don’t think that any
> CA would recommend pinning as it is unsupportable; we can’t do anything
> when it fails. I think Subscribers should review pinning before deploying,
> https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead
> .

For what it's worth, many of the complaints in that blog relate to CAs lack
of disclosure related to their infrastructure - that's what creates the
risks. So if CAs were more technically savvy, and worked to help understand
their customers needs, it's very much viable.

> I think the value of EV is that those certificates are not issued to
> attackers. So it would be great if a Subscriber could state that their site
> only uses EV and that the browser respected that statement.

And customers have that capability - if CAs, particularly their CA, is
technically capable and/or transparent. The browser manufacturers have
already give you that capability, if you chose to use it.

> I also think that this statement might be better to be put in the HSTS
> header. HSTS is low risk, EV is highly available and stating EV-only would
> be applicable to most CAs. This allows the Subscriber to move from one CA
> to another without bricking their site by pinning to a root or intermediate.

I disagree, and was pointing out how you can already accomplish this
without requiring new features that accomplish the same as existing
features =)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170407/ef28dd42/attachment-0003.html>

More information about the Public mailing list