Gmail and SSL

Steven Bellovin smb at
Thu Jan 3 00:29:05 UTC 2013

On Jan 2, 2013, at 7:15 PM, Randy Bush <randy at> wrote:

>> Do you run Cert Patrol (a Firefox extension) in your browser?
> yes, but my main browser is chrome (ff does poorly with nine windows and
> 60+ tabs).  there is some sort of pinning, or at least discussion of it.
> but it is not clear what is actually provided.  and i don't see evidence
> of churn reporting.
Google uses certificate pinning for a very, very few sites.  From :

	In addition in Chromium 13, only a very small subset of CAs have the 
	authority to vouch for Gmail (and the Google Accounts login page).

You can turn it on for other sites but:

	Advanced users can enable stronger security for some web sites by 
	visiting the network internals page: chrome://net-internals/#hsts

	You can now force HTTPS for any domain you want, and even “pin” that 
	domain so that only a more trusted subset of CAs are permitted to
	identify that domain.

	_It’s an exciting feature but we’d like to warn that it’s easy to break 
	things! We recommend that only experts experiment with net internals 

Emphasis theirs.  

The only Chrome browser I have lying around right now is on a Nexus 7 tablet;
I don't see any way to list the pinned certs from the browser.  There is a
list at, and while I
don't know how current it is you'll notice a decided dearth of interesting
sites with the exceptions of and

		--Steve Bellovin,

More information about the NANOG mailing list