Hacker News new | ask | show | jobs
by throwaway2016a 456 days ago
rolls eyes sure bud

Tell me, how exactly else are you supposed to update an app with a pinned certificate without defeating the whole purpose of pinning?

How about Google?

https://chromium.googlesource.com/chromium/src/+/main/net/da...

> The Chrome Root Store contains the set of certificates Chrome trusts by default.

Google also bundles some certificate fingerprints with their browser.

You can see right here where they are in their source code:

https://chromium.googlesource.com/chromium/src/+/main/net/da...

But according to trod1234 it is "common knowledge" you shouldn't do that... so Google and Mozilla must both be idiots.

In fact, Google's Android network article has a section specifically on how to add it to their mobile apps[1].

Any app that follows that article and has a root key expire will need to push an update if they don't have backup pins. And the only way to do that is... as I said in my original reply up top... update the entire app the cert is pinned too.

There are literally hundreds of sources I can find. Including the other reply to the post I replied to... which says the same thing as me but for some reason isn't being trolled.

[1] https://developer.android.com/privacy-and-security/security-...
1 comments
trod1234 455 days ago
The links you provide do not properly support what you say, imply, or claim.

The three links I provide below contradict the claims that are objectively discern-able. The rest is ignored.

What I actually said is common knowledge in the field and best practice, more importantly its not just me saying it; it is well known in industry, see [1][2][3].

There is no need for any further correspondence here.

[1] https://www.ssl.com/blogs/what-is-certificate-pinning/

[2] https://blog.cloudflare.com/why-certificate-pinning-is-outda...

[3] https://developer.android.com/privacy-and-security/security-... (Restricting your App to Specific Certificates... Caution...)

link
nolist_policy 455 days ago
Your links apply to public pki certificates.

Now, I didn't read the source code, but Mozillas wording implies they use a custom pki to sign extentions.

Given that most (all?) root programs only certify host names or email addresses (S/MIME), it is reasonable for Mozilla to run a custom pki for this. And that neccesarily requires shipping/pinning the root certificates.

Actually this whole discussion is moot, because Firefox uses (and ships with) the Mozilla Root Program. So it can not not pin certificates, because that is the whole point of a root program.

Looks like we all learned something today.

link
throwaway2016a 455 days ago
You contradict your part here. I'm not sure if you meant to because the rest of your post sounds like it is saying Mozilla needs to pin if it's using a custom signing mechanism.

> Firefox uses (and ships with) the Mozilla Root Program

> can not not pin certificates

Shipping with a certificate store is by definition, pinning. So not only can it but your own post states it is when it says "and ships with".

link
throwaway2016a 455 days ago
1. Most of those articles refer to Public Key Pinning (HPKP), which is not the type Mozilla used. There is more than one type of pinning.

2. Once again... and I'm tired of repeating this... that's a straw man because never once in my original comment did I say pinning as a good idea or advocate for it.

3. With #2 in mind, seeing as my position was not for or against pinning, sending me articles about how bad it is just proves it is common enough use to warrant mainstream articles. Though again, moot, because I wasn't arguing it is common so another straw man.

From your source:

> Certificate pinning, the practice of restricting the certificates that are considered valid for your app to those you have previously authorized, is not recommended for Android apps.

At no point did I say this is not the case. I am aware of the limitations of pinning. Doesn't change the fact of my original post -- which is correct and has not been refuted in a single one of these replies -- Mozilla distributes the root public keys with their app (as does Google as proven by my citation) and the way to upgrade it is to install the newest version.

That last sentence is ALL my original post said and one of your replies or the other persons once addressed that statement, you're all addressing these ridiculous straw men that I never actually said.

link
trod1234 453 days ago
You show a troubling self-referential incoherence in the things you claim and communicate in your responses that belies your credibility entirely.

This has not gone unnoticed, I gave you quite a bit of rope and you did not disappoint.

You have at some point willfully blinded yourself, and you missed and by extension failed to comprehend the conversation subject matter, or you are doing this intentionally with malice to extract cost on volunteers.

Your choice to ignore salient points, dissemble, improper use or comprehension of working practice and vernacular, and the fact that you communicate incoherently communicates to those watching that you are doing so with intention, the longer and more frequently you do it.

We communicate all the time whether we know it or not. Communicating incoherently and ambiguously communicates another message altogether since human beings are consistent psychologically; unless they are extremely unwell in which case they shouldn't be talking about extraneous things at all.

Negligence is inconsistent. Malice and malevolence are not. Loss with Negligence is intent, and given sufficient activity shows malevolence.

There are consequences for doing such things, none immediate. The main consequence is when you do this sufficiently broadly open societies become closed societies as they become destabilized. They become destabilized because you attack the underpinning of open society creating dynamics extracting cost, its an overt act.

Toleration disappears, and this is how Hitler came to power.

The Bolsheviks tried to capitalize on a distressed Germany following many of the same tactics you demonstrated to impose cost and move the masses, which gave Hitler all he needed to come to power and do horrifying things. There are a growing number of parallels between Hitler and Trumps actions.

The rule of law, broke down to rule by law overnight. Society ceased protecting anyone. What did Hitler do? The first thing he did was killed the Socialist and Communists by political leftist affiliation. The instigators. Millions of them and their families, and children. Then he went on as history shows dwarfing this to a mere footnote.

They had no warning, the lists were made in advance based on actions and participation following Machiavelli. Hitler rose to power because the Bolsheviks tried to impose cost to try and takeover, in the process paving the way to their own destruction (and many others). They were not alone in that but they gave him everything he wanted.

We live in a surveillance society. Acting like an enemy of society by committing subversive overt acts whether you recognize it or not is going to endanger you later.

This is an earnest warning. It should be clear that tolerance has just about completely dried up for this behavior, as evidenced by DOGE, and the fact that approval ratings for democrats are at an all time low, while the exact opposite is at an all time high. DEI is a form of Maoism, and they are stripping it out of government. These type of things change overnight, and the perceptual blindness that made you unable to follow the conversations here will disadvantage you whether you know it or not.

It won't be up to you to decide when it gets to that point. Its decided for you based on your past actions, and fueled by surveillance that are beyond the pale of the STASI's wettest dreams, targeting guilt by association.

This is why you should strive to be clear and concise in what you mean without engaging in many of the fallacy based methodology linked most recently to communism like you did.

You might think its inconsequential, but you won't know that's not the case until its too late, and this is a public forum that is archived. AI could be trained to look for this. Think about it.

There are several ways to upgrade Root CA signed PKI issued certs on all endpoint devices that become expired seemlessly notouch without reinstallation of a bundle in design. Mozilla and Google don't do this not because they are idiots but because it benefits them at the loss of the user.

The best practice is to have a pool of several PKIs that are each signed at the top by a different root CA and using CT Logs, Domain Check Validation, etc to migrate them as needed without reinstall or outage. This was included in material I linked that you say you read but didn't comprehend or address.

You aren't a professional. The support that you link does not support what you say which itself is impossibly ambiguous; intentionally so.

link
throwaway2016a 452 days ago
It is a conversation that started with a simple post that was just pointing out that you had to download a new version the way Mozilla implemented the pinning.

I never said it was a good idea, I never made a political statement, I never said there wasn't a better way to do it with current PKI technology. I simply explained the way it had to be done the way Mozilla implemented it and I have to deal with rants talking about Hitler. And you call me unprofessional?

This conversation is over.

link