Hacker News new | ask | show | jobs
by bigiain 4220 days ago
Unless, as the article points out, the attacker has your private SSL key (perhaps leaked via Heartbleed).

Without cert pinning here's also the problem of the attacker convincing some browser-trusted CA to issue an SSL cert for addons.mozilla.org, then MITMing you with that.

(And with 600+ trusted roots, many of which are owned by various governments, against state level attackers an ssl connection's claim of authenticity has to be considered very close to worthless...)
1 comments
bzbarsky 4219 days ago
> Without cert pinning

In the case of Firefox connecting to addons.mozilla.org, there is cert pinning.

link
bigiain 4219 days ago
I didn't know that, thanks.

(In retrospect, it's such an obvious thing for them to do - I don't know why I didn't assume it was likely enough to be implemented and check before I posted that...)

link
bzbarsky 4218 days ago
To be fair, I _think_ the pinning was only added in Firefox 32, back in September. So it's a pretty recent development.
link