Opened 5 years ago

Closed 21 months ago

#1413 closed enhancement (wontfix)

public key pinning for our sites

Reported by: killyourtv Owned by: Eche|on
Priority: minor Milestone:
Component: www/i2p Version: 0.9.16
Keywords: Cc:
Parent Tickets: Sensitive: no

Description

As suggested by Anarchos on IRC it may be worthwhile have our certs pinned by Mozilla and/or any other browsers.

https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning

Subtickets

Change History (5)

comment:1 Changed 5 years ago by zzz

Somewhat related proposal for pseudo-pinning of our reseed hosts: http://zzz.i2p/topics/1752

comment:2 Changed 4 years ago by str4d

Status: newopen

comment:3 Changed 21 months ago by Eche|on

Owner: set to Eche|on
Status: openassigned

comment:4 Changed 21 months ago by Eche|on

Certificate pinning is mostly obsolete.

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
It will be removed from chrome in 2018, also IE/Edge does not support it at all.
New one is:
https://en.wikipedia.org/wiki/Certificate_Transparency

comment:5 Changed 21 months ago by zzz

Resolution: wontfix
Status: assignedclosed

agreed. Also dangerous. See 'suicide by pinning'

Note: See TracTickets for help on using tickets.