Hi, Duncan wrote: > Meanwhile, another question for Thomas. Is this "certificate stapling" > the same thing google chrome is now doing for the google site, that > enabled it to detect the (I think it was) Iranian and/or Chinese CA > tampering, allowing them to say a "google" cert was valid that was > actually their MitM cert, as appeared in the tech-news a few months ago? > Or was that something different? > > I had interpreted (well, I think I read, but either the journalist could > have been mixed up too, or maybe I was misinterpreting what I read, > either way the effect on my understanding is the same) the "certificate > stapling" referred to at the time as indicating that google configured > the certs for their own sites into chrome as shipped itself, effectively > hard-coding them, NOT as google handling its own OCSP requests, as OCSP > cert stapling does. So now I'm wondering if I interpreted wrong then, or > if there's actually two different things being referred to as certificate > stapling, here.
No, OCSP Stapling is something else. Guess you are talking about HSTS and "SSL pinning" [1,2]: In Google Chrome, they hard coded some certificates/certificate meta data [3] which must be present in every certificate used for any Google site. If you connect to a Google site for example and this site will use a certificate from a CA not specified in [3] (depending on the service, they may also verify against a list of known fingerprints like EV SSL is working), connection will be terminated and the browser will send some details to Google so they get noticed. See also: ========= [1] http://blog.chromium.org/2011/06/new-chromium-security-features-june.html [2] https://www.imperialviolet.org/2011/05/04/pinning.html [3] http://www.googblogs.com/uncategorized/changes-to-our-ssl-certificates/ -- Regards, Thomas
signature.asc
Description: OpenPGP digital signature
