[tor-bugs] #9167 [Flashproxy]: Find a more stable key pinning scheme for www.google.com
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Jun 29 22:20:01 UTC 2013
#9167: Find a more stable key pinning scheme for www.google.com
------------------------+---------------------------------------------------
Reporter: dcf | Owner: dcf
Type: defect | Status: new
Priority: normal | Milestone:
Component: Flashproxy | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by dcf):
It looks like we are hashing the right thing (`pubkey_der`). What it looks
like we're doing wrong is we need to also check intermediate certificates'
keys.
Do
{{{
openssl s_client -connect www.google.com:443 -showcerts
}}}
Running the leaf certificate through [https://tools.ietf.org/html/draft-
ietf-websec-key-pinning-06#appendix-A these OpenSSL commands] gives
{{{
1e3f66cfa0eb03136297fdb238ad6619c30ff375 p1.key
}}}
which is what we have pinned in flashproxy-reg-appspot. But doing the same
with the intermediate certificate gives
{{{
40c5401d6f8cbaf08b00edefb1ee87d005b3b9cd p2.key
}}}
which is the same as a Chromium digest:
{{{
static const char kSPKIHash_Google1024[] =
"\x40\xc5\x40\x1d\x6f\x8c\xba\xf0\x8b\x00"
"\xed\xef\xb1\xee\x87\xd0\x05\xb3\xb9\xcd";
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9167#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list