Ryan Sleevi wrote:
Certificate pinning is one such way to mitigate this threat.
This is true. But....
There need to be more options for users/allies to solidify a
connection to a website other than relying on the webmaster to get their
cert pinned (which happens almost never). Yes, some sites have pinned
certificates, and lots of large consumer-facing websites have
certificate pinning in their long-term security goals. But for small
sites and most developers, pinning isn't even on their radar. And even
if the webmaster is knowledgeable about the subject, they may not have
the time/interest/inclination to go through the process for the top five
browsers.
And for those who use self-signed certs this isn't even a possibility.
Regardless, its unreasonable to suggest we are responsible for
developers who chose to use eval on untrusted code, who choose not to
use CSP, those who introduce XSS, and likewise, those who fail to use
pinning. These are all complimentary tools in the developer's toolbox.
Now this I definitely agree with =)
~Griffin
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change
to digest, or change password by emailing moderator at compa...@stanford.edu.