Hacker Newsnew | comments | show | ask | jobs | submit login

TACK is not competing with Chrome, but with the Public Key Pinning Extension, currently in draft (see http://tools.ietf.org/html/draft-ietf-websec-key-pinning-01). As the name says, they too are proposing to pin public keys, not certificates. I prefer TACK, because it makes sense to solve this problem on the TLS level, rather than on the HTTP level.

EDIT: It's difficult to find a confirmation online, but I recall that Public Key Pinning is already live in Chrome, starting with version 18.




Correct. Even though Chrome calls its feature "certificate pinning", it is actually pinning public keys. Trevor pointed me at their code below:

http://src.chromium.org/viewvc/chrome/trunk/src/net/base/tra...

The criticism of Chrome's pinning is still valid though. The pinned key is allowed to show up anywhere in the cert chain, not just at the leaf certificate. Also, they have to pin several CAs, as well as multiple keys per CA to deal with sub-CAs.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: