Vanadium
Vanadium copied to clipboard
GrapheneOS
Enable certificate pinning for popular sites
Chromium maintains a list of certificate pins for popular sites (Twitter etc). Since this is being maintained by the chromium team, it would be a nice increase in assurance for those sites if we enabled that functionality.
I don't think Chromium maintains a list but rather those sites submitted their pins when static pinning was still available and they can submit updates to them. Chromium doesn't actually maintain them. It's not open to new sites and is supposedly being phased out and removed at some point.
Isn't this already enabled just like HSTS preloading? What makes you think it's not enabled?
They are maintained here: https://github.com/chromium/chromium/commits/main/net/http/transport_security_state_static.pins
And yeah you are right, sites have to look after it themselves. It's used only on "Google Chrome" branded builds.
Looks very dead and like something that was meant for HPKP based on previous commits.
An alternative sounds nice, but it would need to be easily maintainable and something that wouldn't be deprecated 2 years later or easily break. Also something that could be easily re-used and not implemented entirely downstream. I don't know if that would be good to base off of since it's definitely meant for HPKP.
Just my thoughts.
https://github.com/chromium/chromium/blob/cf396c239436e0250cece84a6ec008fcce6a6cff/net/http/transport_security_state.cc#L417
An alternative sounds nice, but it would need to be easily maintainable and something that wouldn't be deprecated 2 years later or easily break. Also something that could be easily re-used and not implemented entirely downstream.
It may be deprecated but there is no harm in enabling it.
I don't know if that would be good to base off of since it's definitely meant for HPKP.
It doesn't work like HPKP since there is no TOFU, the browser has the keys as part of the binary.
https://github.com/chromium/chromium/blob/cf396c239436e0250cece84a6ec008fcce6a6cff/net/http/transport_security_state.cc#L417
We could patch that for non-branded builds (Vanadium) and test this if it doesn't break anything. Doubt it would since Chrome seems to have it enabled obviously.
https://github.com/chromium/chromium/blob/cf396c239436e0250cece84a6ec008fcce6a6cff/net/http/transport_security_state.cc#L417
This also seems like it does something regarding Expect-CT that we don't.
They used to have Expect-CT preloading as an option and still have legacy entries. They stopped accepting new ones as they did for pinning.
If Chrome has these two enabled by default, do you think Vanadium would be fine with enabling it too?
Yes but keep in mind it's deprecated and they don't accept any new entries so it hardly covers anything and is a very odd selection of whoever submitted very early before they started locking down the process to only certain major exceptions and then closed it completely.
We could manually add grapheneos.org pins ourselves if we wanted, but it's likely the whole thing gets removed at some point.
sorry if I intrude, here we talked about it and here you can find the patch that enables the function. if you want there is also the compiled version ready to be tested.
It may be deprecated They stopped accepting new ones as they did for pinning.
I'm interested in understanding the source. thanks
