On Jan 2, 2013, at 8:25 PM, Seth David Schoen <schoen@loyalty.org> wrote:
Steven Bellovin writes:
The only Chrome browser I have lying around right now is on a Nexus 7 tablet; I don't see any way to list the pinned certs from the browser. There is a list at http://www.chromium.org/administrators/policy-list-3, and while I don't know how current it is you'll notice a decided dearth of interesting sites with the exceptions of paypal.com and lastpass.com.
You can see the current list of cert pins and HSTS preloads in the Chromium source tree at
https://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security...
or
https://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security...
Thanks. The list is longer, but with the exception of Twitter (and possibly intuit -- a subdomain is shown), not a lot more interesting. I don't see major banks, I don't see Facebook or Hotmail, I don't see the big CAs, etc. --Steve Bellovin, https://www.cs.columbia.edu/~smb