On 09/01/2014 01:19 PM, Antony Stone wrote:
Fromhttps://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
Starting with FF 32, it's on by default, so you don't have to do anything. The
pinning level is enforced by a pref, security.cert_pinning.enforcement_level
0. Pinning disabled
1. Allow User MITM (pinning not enforced if the trust anchor is a user
inserted CA, default)
2. Strict. Pinning is always enforced.
3. Enforce test mode.
That seems to me to say that if the root of the certificate chain is a user-
added cert, pinning will not be enforced, therefore the user isn't affected?
Hey Antony,
It means that if the user will disable the Pinning check it will work.
I assume they will choose option 2 of the 4 but it's different from
chrome which do not allow you to disable the pinning at all for google.com.
Eliezer
