On Thu, Nov 29, 2012 at 8:19 AM, Simon Dieterle <smnd...@gmail.com> wrote:
> Is there a way to look at the pin list? Just out of curiosity (security > research) We don't currently surface this in the UI, sorry. Geremy Condra > On Monday, November 19, 2012 2:21:41 AM UTC+1, Geremy Condra wrote: >> >> On Sun, Nov 18, 2012 at 5:00 PM, Simon Dieterle <smn...@gmail.com> wrote: >> >>> Heyho, >>> >>> What do i have to do to use it? >> >> >> If you're a user of the device, nothing. The platform will automatically >> pin connections based on a pin list we provide. For most users that list >> will currently be empty, but as we become more confident that we aren't >> breaking good connections we'll be providing additional pins. >> >> If you're an application developer and just want to pin your own >> connections you should either implement a custom TrustManager or use the >> new http://developer.android.**com/reference/android/net/**http/** >> X509TrustManagerExtensions.**html<http://developer.android.com/reference/android/net/http/X509TrustManagerExtensions.html> >> extensions >> and check the list of certificates you get back out of it. >> >> Finally, if you're a website owner and you want to be pinned, please send >> an email to secu...@android.com. >> >> Thanks, >> Geremy Condra >> >> >>> >>> On Sunday, November 18, 2012 9:12:53 PM UTC+1, Geremy Condra wrote: >>> >>>> Hey Jeffrey, >>>> >>>> Yep, we pin to the public key that issued the certificate. >>>> >>>> Thanks, >>>> Geremy Condra >>>> >>>> >>>> On Sun, Nov 18, 2012 at 10:36 AM, Jeffrey Walton <nolo...@gmail.com>wrote: >>>> >>>>> Hi All/Nick. >>>>> >>>>> According to About Jelly Bean >>>>> (http://developer.android.com/****about/versions/jelly-bean.html<http://developer.android.com/about/versions/jelly-bean.html> >>>>> ****), >>>>> libcore SSL supports pinning: >>>>> >>>>> "Certificate Pinning — The libcore SSL implementation now supports >>>>> certificate pinning. Pinned domains will receive a certificate >>>>> validation failure if the certificate does not chain to a set of >>>>> expected certificates. This protects against possible compromise of >>>>> Certificate Authorities." >>>>> >>>>> I know it tells me certificate pinning, but is that public key >>>>> pinning? I've been running tests on encrypted.google.com and gmail.com >>>>> for the last 18 months or so. Google rotates its certificates >>>>> regularly, but the underlying public key is static. >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Android Security Discussions" group. >>>>> To post to this group, send email to android-secu...@**googlegroups.** >>>>> com. >>>>> >>>>> To unsubscribe from this group, send email to >>>>> android-security-discuss+**unsub**scr...@googlegroups.com. >>>>> For more options, visit this group at http://groups.google.com/**group >>>>> **/android-security-**discuss?hl=**en<http://groups.google.com/group/android-security-discuss?hl=en> >>>>> . >>>>> >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Android Security Discussions" group. >>> To view this discussion on the web visit https://groups.google.com/d/** >>> msg/android-security-discuss/-**/PyWUP-wazCIJ<https://groups.google.com/d/msg/android-security-discuss/-/PyWUP-wazCIJ> >>> . >>> >>> To post to this group, send email to android-secu...@**googlegroups.com. >>> To unsubscribe from this group, send email to android-security-discuss+* >>> *unsubscr...@googlegroups.com. >>> For more options, visit this group at http://groups.google.com/** >>> group/android-security-**discuss?hl=en<http://groups.google.com/group/android-security-discuss?hl=en> >>> . >>> >> >> -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/android-security-discuss/-/oZEK6SkCvEMJ. > > To post to this group, send email to > android-security-discuss@googlegroups.com. > To unsubscribe from this group, send email to > android-security-discuss+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
