855 bytes added,
21:46, 12 May 2014 Certificate pinning is a protocol for sites to specify which certificate authorities have issued valid certs for that site, and for user-agents to reject TLS connections to those sites if the certificate is not issued by a known-good CA. The benefit of certificate pinning is that users cannot be mitm'ed because of a rogue CA not on the site's list (see the Diginotar attack which Chrome detected and we did not: https://blog.mozilla.org/security/2011/08/29/fraudulent-google-com-certificate/).
We are attempting to:
# Pin all of the sites that Chrome already does (Google, Twitter)
# Pin our own sites after auditing them and cleaning them up, so that our users know that the updates we serve actually come from us
# Pin other popular sites like Facebook that are in good shape already (with their cooperation, of course)
Tracking bug: {{bug|1004350}}