Hi,

Duncan wrote:
> Meanwhile, another question for Thomas.  Is this "certificate stapling" 
> the same thing google chrome is now doing for the google site, that 
> enabled it to detect the (I think it was) Iranian and/or Chinese CA 
> tampering, allowing them to say a "google" cert was valid that was 
> actually their MitM cert, as appeared in the tech-news a few months ago?  
> Or was that something different?
> 
> I had interpreted (well, I think I read, but either the journalist could 
> have been mixed up too, or maybe I was misinterpreting what I read, 
> either way the effect on my understanding is the same) the "certificate 
> stapling" referred to at the time as indicating that google configured 
> the certs for their own sites into chrome as shipped itself, effectively 
> hard-coding them, NOT as google handling its own OCSP requests, as OCSP 
> cert stapling does.  So now I'm wondering if I interpreted wrong then, or 
> if there's actually two different things being referred to as certificate 
> stapling, here.

No, OCSP Stapling is something else.

Guess you are talking about HSTS and "SSL pinning" [1,2]: In Google
Chrome, they hard coded some certificates/certificate meta data [3]
which must be present in every certificate used for any Google site.

If you connect to a Google site for example and this site will use a
certificate from a CA not specified in [3] (depending on the service,
they may also verify against a list of known fingerprints like EV SSL is
working), connection will be terminated and the browser will send some
details to Google so they get noticed.



See also:
=========
[1]
http://blog.chromium.org/2011/06/new-chromium-security-features-june.html

[2] https://www.imperialviolet.org/2011/05/04/pinning.html

[3] http://www.googblogs.com/uncategorized/changes-to-our-ssl-certificates/


-- 
Regards,
Thomas