(no title)
throwaway2016a | 11 months ago
Tell me, how exactly else are you supposed to update an app with a pinned certificate without defeating the whole purpose of pinning?
How about Google?
https://chromium.googlesource.com/chromium/src/+/main/net/da...
> The Chrome Root Store contains the set of certificates Chrome trusts by default.
Google also bundles some certificate fingerprints with their browser.
You can see right here where they are in their source code:
https://chromium.googlesource.com/chromium/src/+/main/net/da...
But according to trod1234 it is "common knowledge" you shouldn't do that... so Google and Mozilla must both be idiots.
In fact, Google's Android network article has a section specifically on how to add it to their mobile apps[1].
Any app that follows that article and has a root key expire will need to push an update if they don't have backup pins. And the only way to do that is... as I said in my original reply up top... update the entire app the cert is pinned too.
There are literally hundreds of sources I can find. Including the other reply to the post I replied to... which says the same thing as me but for some reason isn't being trolled.
[1] https://developer.android.com/privacy-and-security/security-...
trod1234|11 months ago
The three links I provide below contradict the claims that are objectively discern-able. The rest is ignored.
What I actually said is common knowledge in the field and best practice, more importantly its not just me saying it; it is well known in industry, see [1][2][3].
There is no need for any further correspondence here.
[1] https://www.ssl.com/blogs/what-is-certificate-pinning/
[2] https://blog.cloudflare.com/why-certificate-pinning-is-outda...
[3] https://developer.android.com/privacy-and-security/security-... (Restricting your App to Specific Certificates... Caution...)
nolist_policy|11 months ago
Now, I didn't read the source code, but Mozillas wording implies they use a custom pki to sign extentions.
Given that most (all?) root programs only certify host names or email addresses (S/MIME), it is reasonable for Mozilla to run a custom pki for this. And that neccesarily requires shipping/pinning the root certificates.
Actually this whole discussion is moot, because Firefox uses (and ships with) the Mozilla Root Program. So it can not not pin certificates, because that is the whole point of a root program.
Looks like we all learned something today.
throwaway2016a|11 months ago
2. Once again... and I'm tired of repeating this... that's a straw man because never once in my original comment did I say pinning as a good idea or advocate for it.
3. With #2 in mind, seeing as my position was not for or against pinning, sending me articles about how bad it is just proves it is common enough use to warrant mainstream articles. Though again, moot, because I wasn't arguing it is common so another straw man.
From your source:
> Certificate pinning, the practice of restricting the certificates that are considered valid for your app to those you have previously authorized, is not recommended for Android apps.
At no point did I say this is not the case. I am aware of the limitations of pinning. Doesn't change the fact of my original post -- which is correct and has not been refuted in a single one of these replies -- Mozilla distributes the root public keys with their app (as does Google as proven by my citation) and the way to upgrade it is to install the newest version.
That last sentence is ALL my original post said and one of your replies or the other persons once addressed that statement, you're all addressing these ridiculous straw men that I never actually said.