China, GitHub and the man-in-the-middle (Greatfire)

Posted Jan 30, 2013 21:04 UTC (Wed) by raven667 (subscriber, #5198)
In reply to: China, GitHub and the man-in-the-middle (Greatfire) by kjp
Parent article: China, GitHub and the man-in-the-middle (Greatfire)

That's not entirely true, some browsers such as Chrome do support pinning and have signatures for some keys shipped with the software and will flag it if it doesn't see the expected key when going to, for example, www.google.com

to post comments

China, GitHub and the man-in-the-middle (Greatfire)

Posted Jan 31, 2013 0:05 UTC (Thu) by robert_s (subscriber, #42402) [Link] (2 responses)

Right, but you can't exactly argue that such a scheme is truly scalable, can you?

China, GitHub and the man-in-the-middle (Greatfire)

Posted Jan 31, 2013 16:32 UTC (Thu) by raven667 (subscriber, #5198) [Link]

Well SSH style key pinning is scalable but is dependent on the first interaction being clean, which may not be the case in a network with pervasive SSL proxying. Pre-loaded key lists, assuming they haven't been tampered with, can flag for major sites that can be listed but in both cases most users are just going to click through any warnings to get to where they want to go.

The benefit is that the one user who actually pays attention can trivially demonstrate that the MITM is going on and sound the alarm.

China, GitHub and the man-in-the-middle (Greatfire)

Posted Feb 1, 2013 9:36 UTC (Fri) by job (guest, #670) [Link]

It's not, but it goes a long way from nothing. Github is probably large and important enough (certainly after this) that the Chromium devs could ship with their certificate pinned, as they do for Tor and Twitter. By protecting the large web sites, any blanket MITM would also be discovered. If you are a developer and have access to out-of-band communications, perhaps it is worthwhile manually pinning the sites important to you.