Opened 5 years ago
Closed 21 months ago
#1413 closed enhancement (wontfix)
public key pinning for our sites
| Reported by: | killyourtv | Owned by: | Eche|on |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | www/i2p | Version: | 0.9.16 |
| Keywords: | Cc: | ||
| Parent Tickets: | Sensitive: | no |
Description
As suggested by Anarchos on IRC it may be worthwhile have our certs pinned by Mozilla and/or any other browsers.
https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
Subtickets
Change History (5)
comment:1 Changed 5 years ago by
comment:2 Changed 4 years ago by
| Status: | new → open |
|---|
comment:3 Changed 21 months ago by
| Owner: | set to Eche|on |
|---|---|
| Status: | open → assigned |
comment:4 Changed 21 months ago by
Certificate pinning is mostly obsolete.
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
It will be removed from chrome in 2018, also IE/Edge does not support it at all.
New one is:
https://en.wikipedia.org/wiki/Certificate_Transparency
comment:5 Changed 21 months ago by
| Resolution: | → wontfix |
|---|---|
| Status: | assigned → closed |
agreed. Also dangerous. See 'suicide by pinning'
Note: See
TracTickets for help on using
tickets.
Somewhat related proposal for pseudo-pinning of our reseed hosts: http://zzz.i2p/topics/1752