undefined | Better HN

0 pointsNovashi7y ago0 comments

I thought there were varying amounts of trust with certificate stores?

Local dev certs should go into a personal store or something that is less trusted than something like VeriSign. You shouldn't be able to mint a legit-looking Google certificates with the same private key that's only trusted via a local self-signed certificate.

Maybe I don't understand something.

0 comments

2 comments · 2 top-level

shivekkhurana7y ago

Couldn't mint absolutely legitimate certificates, but legitimate enough to fool the browser and the person who is browsing.

gog7y ago

If you have a Certificate Authority in your trust store, than any certificate signed by that CS is trusted by your system.

That is why Google uses key pinning for their services and a list is hardcoded in Chrome, AFAIK.

j / k navigate · click thread line to collapse