Is there a way to look at the pin list? Just out of curiosity (security research)
On Monday, November 19, 2012 2:21:41 AM UTC+1, Geremy Condra wrote: > > On Sun, Nov 18, 2012 at 5:00 PM, Simon Dieterle <[email protected]<javascript:> > > wrote: > >> Heyho, >> >> What do i have to do to use it? > > > If you're a user of the device, nothing. The platform will automatically > pin connections based on a pin list we provide. For most users that list > will currently be empty, but as we become more confident that we aren't > breaking good connections we'll be providing additional pins. > > If you're an application developer and just want to pin your own > connections you should either implement a custom TrustManager or use the > new > http://developer.android.com/reference/android/net/http/X509TrustManagerExtensions.html > extensions > and check the list of certificates you get back out of it. > > Finally, if you're a website owner and you want to be pinned, please send > an email to [email protected] <javascript:>. > > Thanks, > Geremy Condra > > >> >> On Sunday, November 18, 2012 9:12:53 PM UTC+1, Geremy Condra wrote: >> >>> Hey Jeffrey, >>> >>> Yep, we pin to the public key that issued the certificate. >>> >>> Thanks, >>> Geremy Condra >>> >>> >>> On Sun, Nov 18, 2012 at 10:36 AM, Jeffrey Walton <[email protected]>wrote: >>> >>>> Hi All/Nick. >>>> >>>> According to About Jelly Bean >>>> (http://developer.android.com/**about/versions/jelly-bean.html<http://developer.android.com/about/versions/jelly-bean.html> >>>> **), >>>> libcore SSL supports pinning: >>>> >>>> "Certificate Pinning — The libcore SSL implementation now supports >>>> certificate pinning. Pinned domains will receive a certificate >>>> validation failure if the certificate does not chain to a set of >>>> expected certificates. This protects against possible compromise of >>>> Certificate Authorities." >>>> >>>> I know it tells me certificate pinning, but is that public key >>>> pinning? I've been running tests on encrypted.google.com and gmail.com >>>> for the last 18 months or so. Google rotates its certificates >>>> regularly, but the underlying public key is static. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Android Security Discussions" group. >>>> To post to this group, send email to android-secu...@**googlegroups.com >>>> . >>>> >>>> To unsubscribe from this group, send email to android-security-discuss+ >>>> **[email protected]. >>>> For more options, visit this group at http://groups.google.com/** >>>> group/android-security-**discuss?hl=en<http://groups.google.com/group/android-security-discuss?hl=en> >>>> . >>>> >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To view this discussion on the web visit >> https://groups.google.com/d/msg/android-security-discuss/-/PyWUP-wazCIJ. >> >> To post to this group, send email to >> [email protected]<javascript:> >> . >> To unsubscribe from this group, send email to >> [email protected] <javascript:>. >> For more options, visit this group at >> http://groups.google.com/group/android-security-discuss?hl=en. >> > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/oZEK6SkCvEMJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
