To escape the PKI x509 disaster

Diatribe: Enough said for now. (this too)

This feature fails to fail when I enter the wrong fingerprint. Either I am confused about what the feature is for or there is a serious security bug. When I first read about this function I conceived (perhaps implausibly) an amelioration of the terrible PKI infrastructure we suffer today. Perhaps this makes it worse. See this.

My Optimistic Take

Google’s Chrome browser has a key pinning feature that avoids trusting a whole world of miscellaneous ‘certificate authorities’. Suppose that you occasionally want to go to Bank of America’s web site and be confident that you have reached that site and that there are no ‘men in the middle’. You must first learn the ‘fingerprint’ of the ‘public key’ of the bank. You should be able to pick this up on a card as you leave a BofA branch but I don’t think that you can. Here is how I learned the fingerprint but you may have a better way. You need to express this 160 bit integer in “base64”. You can do this by hand from reading the Wikipedia article on base64. I ran a small Mac app called “HexEdit”. It will want to open a file. Hit cancel. Type command N for a new unnamed file. Paste the hexidecimal version of fingerprint into window, spaces OK. Save file into a very temporary file called BofAfp here. Perform shell command “openssl base64 -in BofAfp”. Remember printed output somehow. (I got “K6yVbE7kf51cHgWujtf5XUfCH4A=”) delete BofAfp (merely to avoid clutter). Switch back to browser. Type into address bar: “chrome://net-internals/#hsts”. Enter “bankofamerica.com” into the “Domain” window. Click “Include subdomains for STS:”. Enter “sha1/K6yVbE7kf51cHgWujtf5XUfCH4A=” in the “Public key fingerprints:” window. Click Add button. Hope.