net/base/hsts_preloaded.json - Issue 9863001: net: move HSTS preloaded and pinning info out of code.

Side by Side Diff: net/base/hsts_preloaded.json

Issue 9863001: net: move HSTS preloaded and pinning info out of code. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: ... Created 8 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
(Empty)
	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 // This file contains the HSTS preloaded list in a machine readable format.

	6

	7 // The top-level element is a dictionary with two keys: "pinsets" maps details

	8 // of certificate pinning to a name and "entries" contains the HSTS details for

	9 // each host.

	10 //

	11 // "pinsets" is a list of objects. Each object has the following members:

	12 // name: (string) the name of the pinset

	13 // include: (list of strings) the set of allowed SPKIs hashes

	14 // exclude: (optional list of strings) the set of forbidden SPKIs hashes

	15 //

	16 // For a given pinset, a certifiacte is accepted if at least one of the

	17 // "include" SPKIs is found in the chain and none of the "exclude" SPKIs are.

	18 // SPKIs are specified as names, which must match up with the file of

	19 // certificates.

	20 //

	21 // "entries" is a list of objects. Each object has the following members:

	22 // name: (string) the DNS name of the host in question

	23 // subdomains: (optional bool) whether subdomains of \|name\| are also covered

	24 // https: (optional bool) whether the covered names should require HTTPS

	25 // pins: (optional string) the \|name\| member of an object in \|pinsets\|

	26

	27 {

	28 "pinsets": [

	29 {

	30 "name": "test",

	31 "include": [

	32 "TestSPKI"

	33 ]

	34 },

	35 {

	36 "name": "google",

	37 "include": [

	38 "VeriSignClass3",

	39 "VeriSignClass3_G3",

	40 "Google1024",

	41 "Google2048",

	42 "EquifaxSecureCA"

	43 ],

	44 "exclude": [

	45 "Aetna",

	46 "Intel",

	47 "TCTrustCenter",

	48 "Vodafone"

	49 ]

	50 },

	51 {

	52 "name": "tor",

	53 "include": [

	54 "RapidSSL",

	55 "DigiCertEVRoot",

	56 "Tor1",

	57 "Tor2",

	58 "Tor3"

	59 ]

	60 },

	61 {

	62 "name": "twitterCom",

	63 "include": [

	64 "VeriSignClass1",

	65 "VeriSignClass3",

	66 "VeriSignClass3_G4",

	67 "VeriSignClass4_G3",

	68 "VeriSignClass3_G3",

	69 "VeriSignClass1_G3",

	70 "VeriSignClass2_G3",

	71 "VeriSignClass3_G2",

	72 "VeriSignClass2_G2",

	73 "VeriSignClass3_G5",

	74 "VeriSignUniversal",

	75 "GeoTrustGlobal",

	76 "GeoTrustGlobal2",

	77 "GeoTrustUniversal",

	78 "GeoTrustUniversal2",

	79 "GeoTrustPrimary",

	80 "GeoTrustPrimary_G2",

	81 "GeoTrustPrimary_G3",

	82 "Twitter1"

	83 ]

	84 },

	85 {

	86 "name": "twitterCDN",

	87 "include": [

	88 "VeriSignClass1",

	89 "VeriSignClass3",

	90 "VeriSignClass3_G4",

	91 "VeriSignClass4_G3",

	92 "VeriSignClass3_G3",

	93 "VeriSignClass1_G3",

	94 "VeriSignClass2_G3",

	95 "VeriSignClass3_G2",

	96 "VeriSignClass2_G2",

	97 "VeriSignClass3_G5",

	98 "VeriSignUniversal",

	99 "GeoTrustGlobal",

	100 "GeoTrustGlobal2",

	101 "GeoTrustUniversal",

	102 "GeoTrustUniversal2",

	103 "GeoTrustPrimary",

	104 "GeoTrustPrimary_G2",

	105 "GeoTrustPrimary_G3",

	106 "Twitter1",

	107

	108 "Entrust_2048",

	109 "Entrust_EV",

	110 "Entrust_G2",

	111 "Entrust_SSL",

	112 "AAACertificateServices",

	113 "AddTrustClass1CARoot",

	114 "AddTrustExternalCARoot",

	115 "AddTrustPublicCARoot",

	116 "AddTrustQualifiedCARoot",

	117 "COMODOCertificationAuthority",

	118 "SecureCertificateServices",

	119 "TrustedCertificateServices",

	120 "UTNDATACorpSGC",

	121 "UTNUSERFirstClientAuthenticationandEmail",

	122 "UTNUSERFirstHardware",

	123 "UTNUSERFirstObject",

	124 "GTECyberTrustGlobalRoot"

	125 ]

	126 }

	127 ],

	128

	129 "entries": [

	130 // Dummy entry to test certificate pinning.

	131 { "name": "pinningtest.appspot.com", "subdomains": true, "pins": "test" },
	palmer 2012/03/26 23:40:21 Can we use the same key names as I use in the TSS Can we use the same key names as I use in the TSS refactor? I document them in chrome/browser/transport_security_persister.h in my TSS refactor CL (http://codereview.chromium.org/9415040/). The more harmonized these names are, the less confusing it will be for the poor maintainers that come after us. One difference that I think would be ok is to have "static_spki_hashes" have a string (the name of the array of pins from the JSON above this) instead of a literal array of base64'd SPKI hashes, as they are in the persisted TSS data file. I.e. I am just asking you to change these names; your new value semantics are OK.
	132

	133 // (*.)google.com, iff using SSL, must use an acceptable certificate.

	134 { "name": "google.com", "subdomains": true, "pins": "google" },

	135

	136 // Now we force HTTPS for subtrees of google.com.

	137 { "name": "health.google.com", "subdomains": true, "https": true, "pins": "g oogle" },

	138 { "name": "checkout.google.com", "subdomains": true, "https": true, "pins": "google" },

	139 { "name": "chrome.google.com", "subdomains": true, "https": true, "pins": "g oogle" },

	140 { "name": "docs.google.com", "subdomains": true, "https": true, "pins": "goo gle" },

	141 { "name": "sites.google.com", "subdomains": true, "https": true, "pins": "go ogle" },

	142 { "name": "spreadsheets.google.com", "subdomains": true, "https": true, "pin s": "google" },

	143 { "name": "appengine.google.com", "https": true, "pins": "google" },

	144 { "name": "encrypted.google.com", "subdomains": true, "https": true, "pins": "google" },

	145 { "name": "accounts.google.com", "subdomains": true, "https": true, "pins": "google" },

	146 { "name": "profiles.google.com", "subdomains": true, "https": true, "pins": "google" },

	147 { "name": "mail.google.com", "subdomains": true, "https": true, "pins": "goo gle" },

	148 { "name": "talkgadget.google.com", "subdomains": true, "https": true, "pins" : "google" },

	149 { "name": "talk.google.com", "subdomains": true, "https": true, "pins": "goo gle" },

	150 { "name": "hostedtalkgadget.google.com", "subdomains": true, "https": true, "pins": "google" },

	151 { "name": "plus.google.com", "subdomains": true, "https": true, "pins": "goo gle" },

	152

	153 // Other Google related domain that must use HTTPS.

	154 { "name": "market.android.com", "subdomains": true, "https": true, "pins": " google" },

	155 { "name": "ssl.google-analytics.com", "subdomains": true, "https": true, "pi ns": "google" },

	156 { "name": "drive.google.com", "subdomains": true, "https": true, "pins": "go ogle" },

	157 { "name": "googleplex.com", "subdomains": true, "https": true, "pins": "goog le" },

	158 { "name": "groups.google.com", "subdomains": true, "https": true, "pins": "g oogle" },

	159 { "name": "apis.google.com", "subdomains": true, "https": true, "pins": "goo gle" },

	160

	161 // chart.apis.google.com is not HSTS because the certificate doesn't match

	162 // and there are lots of links out there that still use the name. The correc t

	163 // hostname for this is chart.googleapis.com.

	164 { "name": "chart.apis.google.com", "subdomains": true, "pins": "google" },

	165

	166 // Other Google-related domains that must use an acceptable certificate

	167 // iff using SSL.

	168 { "name": "ytimg.com", "subdomains": true, "pins": "google" },

	169 { "name": "googleusercontent.com", "subdomains": true, "pins": "google" },

	170 { "name": "youtube.com", "subdomains": true, "pins": "google" },

	171 { "name": "googleapis.com", "subdomains": true, "pins": "google" },

	172 { "name": "googleadservices.com", "subdomains": true, "pins": "google" },

	173 { "name": "googlecode.com", "subdomains": true, "pins": "google" },

	174 { "name": "appspot.com", "subdomains": true, "pins": "google" },

	175 { "name": "googlesyndication.com", "subdomains": true, "pins": "google" },

	176 { "name": "doubleclick.net", "subdomains": true, "pins": "google" },

	177 { "name": "ssl.gstatic.com", "subdomains": true, "pins": "google" },

	178 // Exclude the learn.doubleclick.net subdomain because it uses a different

	179 // CA.

	180 { "name": "learn.doubleclick.net", "subdomains": true },

	181

	182 // Force HTTPS for sites that have requested it.

	183 { "name": "www.paypal.com", "https": true },

	184 { "name": "www.elanex.biz", "https": true },

	185 { "name": "jottit.com", "subdomains": true, "https": true },

	186 { "name": "sunshinepress.org", "subdomains": true, "https": true },

	187 { "name": "www.noisebridge.net", "https": true },

	188 { "name": "neg9.org", "https": true },

	189 { "name": "riseup.net", "subdomains": true, "https": true },

	190 { "name": "factor.cc", "https": true },

	191 { "name": "members.mayfirst.org", "https": true },

	192 { "name": "support.mayfirst.org", "https": true },

	193 { "name": "id.mayfirst.org", "https": true },

	194 { "name": "lists.mayfirst.org", "https": true },

	195 { "name": "splendidbacon.com", "subdomains": true, "https": true },

	196 { "name": "aladdinschools.appspot.com", "https": true },

	197 { "name": "ottospora.nl", "subdomains": true, "https": true },

	198 { "name": "www.paycheckrecords.com", "https": true },

	199 { "name": "lastpass.com", "https": true },

	200 { "name": "www.lastpass.com", "https": true },

	201 { "name": "keyerror.com", "subdomains": true, "https": true },

	202 { "name": "entropia.de", "https": true },

	203 { "name": "www.entropia.de", "https": true },

	204 { "name": "romab.com", "subdomains": true, "https": true },

	205 { "name": "logentries.com", "https": true },

	206 { "name": "www.logentries.com", "https": true },

	207 { "name": "stripe.com", "subdomains": true, "https": true },

	208 { "name": "cloudsecurityalliance.org", "subdomains": true, "https": true },

	209 { "name": "login.sapo.pt", "subdomains": true, "https": true },

	210 { "name": "mattmccutchen.net", "subdomains": true, "https": true },

	211 { "name": "betnet.fr", "subdomains": true, "https": true },

	212 { "name": "uprotect.it", "subdomains": true, "https": true },

	213 { "name": "squareup.com", "https": true },

	214 { "name": "cert.se", "subdomains": true, "https": true },

	215 { "name": "crypto.is", "subdomains": true, "https": true },

	216 { "name": "simon.butcher.name", "subdomains": true, "https": true },

	217 { "name": "linx.net", "subdomains": true, "https": true },

	218 { "name": "dropcam.com", "https": true },

	219 { "name": "www.dropcam.com", "https": true },

	220 { "name": "ebanking.indovinabank.com.vn", "subdomains": true, "https": true },

	221 { "name": "epoxate.com", "https": true },

	222 { "name": "torproject.org", "https": true, "pins": "tor" },

	223 { "name": "blog.torproject.org", "subdomains": true, "https": true, "pins": "tor" },

	224 { "name": "check.torproject.org", "subdomains": true, "https": true, "pins": "tor" },

	225 { "name": "www.torproject.org", "subdomains": true, "https": true, "pins": " tor" },

	226 { "name": "www.moneybookers.com", "subdomains": true, "https": true },

	227 { "name": "ledgerscope.net", "https": true },

	228 { "name": "www.ledgerscope.net", "https": true },

	229 { "name": "kyps.net", "https": true },

	230 { "name": "www.kyps.net", "https": true },

	231 { "name": "app.recurly.com", "subdomains": true, "https": true },

	232 { "name": "api.recurly.com", "subdomains": true, "https": true },

	233 { "name": "greplin.com", "https": true },

	234 { "name": "www.greplin.com", "https": true },

	235 { "name": "luneta.nearbuysystems.com", "subdomains": true, "https": true },

	236 { "name": "ubertt.org", "subdomains": true, "https": true },

	237 { "name": "pixi.me", "subdomains": true, "https": true },

	238 { "name": "grepular.com", "subdomains": true, "https": true },

	239 { "name": "mydigipass.com", "https": true },

	240 { "name": "www.mydigipass.com", "https": true },

	241 { "name": "developer.mydigipass.com", "https": true },

	242 { "name": "www.developer.mydigipass.com", "https": true },

	243 { "name": "sandbox.mydigipass.com", "https": true },

	244 { "name": "www.sandbox.mydigipass.com", "https": true },

	245 { "name": "crypto.cat", "subdomains": true, "https": true },

	246 { "name": "bigshinylock.minazo.net", "subdomains": true, "https": true },

	247 { "name": "crate.io", "subdomains": true, "https": true },

	248 { "name": "twitter.com", "pins": "twitterCom" },

	249 { "name": "www.twitter.com", "subdomains": true, "pins": "twitterCom" },

	250 { "name": "api.twitter.com", "subdomains": true, "pins": "twitterCDN" },

	251 { "name": "oauth.twitter.com", "subdomains": true, "pins": "twitterCom" },

	252 { "name": "mobile.twitter.com", "subdomains": true, "pins": "twitterCom" },

	253 { "name": "dev.twitter.com", "subdomains": true, "pins": "twitterCom" },

	254 { "name": "business.twitter.com", "subdomains": true, "pins": "twitterCom" } ,

	255 { "name": "platform.twitter.com", "subdomains": true, "pins": "twitterCDN" } ,

	256 { "name": "si0.twimg.com", "subdomains": true, "pins": "twitterCDN" },

	257 { "name": "twimg0-a.akamaihd.net", "subdomains": true, "pins": "twitterCDN" },

	258

	259 // Entries that are only valid if the client supports SNI.

	260 { "name": "gmail.com", "https": true, "pins": "google", "snionly": true },

	261 { "name": "googlemail.com", "https": true, "pins": "google", "snionly": true },

	262 { "name": "www.gmail.com", "https": true, "pins": "google", "snionly": true },

	263 { "name": "www.googlemail.com", "https": true, "pins": "google", "snionly": true },

	264 { "name": "google-analytics.com", "subdomains": true, "pins": "google", "sni only": true },

	265 { "name": "googlegroups.com", "subdomains": true, "pins": "google", "snionly ": true }

	266 ]

	267 }

OLD	NEW

« net/base/hsts_preloaded.h ('K') | « net/base/hsts_preloaded.certs ('k') | net/base/hsts_preloaded_generate.go » ('j') | net/base/hsts_preloaded_generate.go » ('J')