Talk:Certificate and Public Key Pinning

Past Failures
This section is 'further reading' for those interested in surveying the landscape.


 * Governments Want/Require Interception
 * Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL, cryptome.org/ssl-mitm.pdf
 * http://www.dailymail.co.uk/indiahome/indianews/article-2126277/No-secrets-Blackberry-Security-services-intercept-data-government-gets-way-messenger-service.html
 * Governments Engage in Interception
 * http://www.thetechherald.com/articles/Tunisian-government-harvesting-usernames-and-passwords/12429/
 * Vendors Provide Interception Taps
 * http://www.cisco.com/web/about/security/intelligence/LI-3GPP.html
 * Governments Use Interception Taps
 * https://www.eff.org/nsa-spying
 * Mobile Interception is Patented
 * Lawful interception for targets in a proxy mobile internet protocol network, http://www.google.com/patents/EP2332309A1
 * Handset manufactures add trusted roots
 * http://gaurangkp.wordpress.com/tag/nokias-man-in-the-middle-attack/
 * Carriers can add trusted roots
 * No reference yet, but http://www.theregister.co.uk/2011/12/15/carrier_iq_privacy_latest/
 * CAs can become compromised
 * http://isc.sans.edu/diary.html?storyid=11500
 * Researchers can create Rogue CAs
 * http://www.win.tue.nl/hashclash/rogue-ca/
 * DNS can become compromised
 * http://forums.theregister.co.uk/forum/2/2011/09/05/dns_hijack_service_updated/
 * Physical plant can become compromised
 * http://www.pcworld.com/article/119851/paris_hilton_victim_of_tmobiles_web_flaws.html
 * Its easy to set up an AP or Base Station (Chris Paget's IMSI Catcher)
 * http://www.wired.com/threatlevel/2010/07/intercepting-cell-phone-calls/
 * Can't trust some CAs – they will sell you out and issue subordinate CAs for money
 * http://www.net-security.org/secworld.php?id=12369
 * http://www.zdnet.com/trustwave-sold-root-certificate-for-surveillance-3040095011/
 * Can't trust some browsers – they will sell you out and elide their responsibility
 * https://bugzilla.mozilla.org/show_bug.cgi?id=724929
 * Can't trust some browsers – they include questionable certificates out of the box
 * https://bugzilla.mozilla.org/show_bug.cgi?id=542689
 * Can't override some browser's CA list
 * http://my.opera.com/community/forums/topic.dml?id=1580452
 * Can't override OS's CA list (burned into ROM)
 * http://support.google.com/android/bin/answer.py?hl=en&answer=1649774
 * CRL/OCSP does not work as expected/intended
 * http://blog.spiderlabs.com/2011/04/certificate-revocation-behavior-in-modern-browsers.html
 * https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
 * User will break it too (not just bad guys)
 * http://www.esecurityplanet.com/mobile-security/hacker-bypasses-apples-ios-in-app-purchases.html
 * http://www.h-online.com/security/news/item/Apps-for-Windows-8-easily-hacked-1767839.html
 * Interception proxies add additional risk
 * http://blog.cryptographyengineering.com/2012/03/how-do-interception-proxies-fail.html
 * HTTPS is broken
 * http://www.thoughtcrime.org/software/sslstrip/
 * PKI is broken
 * www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf
 * The Internet is Broken :)
 * http://blog.cryptographyengineering.com/2012/02/how-to-fix-internet.html