On Jan 2, 2013, at 8:25 PM, Seth David Schoen <sch...@loyalty.org> wrote:
> Steven Bellovin writes: > >> The only Chrome browser I have lying around right now is on a Nexus 7 tablet; >> I don't see any way to list the pinned certs from the browser. There is a >> list at http://www.chromium.org/administrators/policy-list-3, and while I >> don't know how current it is you'll notice a decided dearth of interesting >> sites with the exceptions of paypal.com and lastpass.com. > > You can see the current list of cert pins and HSTS preloads in the Chromium > source tree at > > https://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security_state_static.h?view=markup > > or > > https://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security_state_static.json?view=markup Thanks. The list is longer, but with the exception of Twitter (and possibly intuit -- a subdomain is shown), not a lot more interesting. I don't see major banks, I don't see Facebook or Hotmail, I don't see the big CAs, etc. --Steve Bellovin, https://www.cs.columbia.edu/~smb
