Please don’t use certificate pinning
It's not just the misissuance, but also difficulty distrusting a CA, because a site can't swap out their cert until they update their mobile app and a sufficient number of users upgrade.
-
-
I wish that CAs and UAs were willing to let the people who misuse the WebPKI (e.g. through poorly planned pinning) burn; then there would be no externalization. But that's not the case, so I think pinning even in mobile apps ought to be discouraged.
-
Wow, they got Symantec to reissue a cert over a holiday? Now I feel like chopped liver
- 2 more replies
New conversation -
-
-
One leads to the next; the missisuamce (the externalization) necessitates the distrust. Pinning in an application doesn’t even necessitate the use of the WebPKI and arguably should not; the pinning is not the root cause of externalization; malfeasance is.
-
If they're not using the WebPKI then everything is good, and way better than hand-rolling ... whatever that JSON is. I wouldn't call that pinning though; that's just using a private CA.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.