Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Doesn't Chrome use certificate pinning? It seems that it would be immune to this, no?


Yes, which is how they found out about the fraudulent cert. They went ahead and revoked the entire intermediate CA because Chrome doesn't pin the whole internet and if Google confirmed fraud on their own domain it has to assume there are others.

Chrome's popularity and Google's use of pinning to their own properties is a pretty powerful combination to detect MITM.


Note that we haven't said that pinning found this event. We have several channels by which we receive information about these sorts of things.


Fascinating. I assume that means Chrome wasn't used with the cert otherwise pinning should have been the giveaway.


> Chrome's popularity and Google's use of pinning to their own properties is a pretty powerful combination to detect MITM.

Plus the fact that Chrome reports back to Google when it finds a valid certificate that's not the pinned one.


For Google properties yes, but not for the majority of sites.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: