Gmail and SSL

Steven Bellovin smb at cs.columbia.edu
Thu Jan 3 02:12:27 UTC 2013


On Jan 2, 2013, at 8:25 PM, Seth David Schoen <schoen at loyalty.org> wrote:

> Steven Bellovin writes:
> 
>> The only Chrome browser I have lying around right now is on a Nexus 7 tablet;
>> I don't see any way to list the pinned certs from the browser.  There is a
>> list at http://www.chromium.org/administrators/policy-list-3, and while I
>> don't know how current it is you'll notice a decided dearth of interesting
>> sites with the exceptions of paypal.com and lastpass.com.
> 
> You can see the current list of cert pins and HSTS preloads in the Chromium
> source tree at
> 
> https://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security_state_static.h?view=markup
> 
> or
> 
> https://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security_state_static.json?view=markup

Thanks.  The list is longer, but with the exception of Twitter (and possibly intuit -- a subdomain
is shown), not a lot more interesting.  I don't see major banks, I don't see Facebook or Hotmail,
I don't see the big CAs, etc.


		--Steve Bellovin, https://www.cs.columbia.edu/~smb








More information about the NANOG mailing list