[cryptography] This is bad. THis is really bad. (Isn't it?)

Jeffrey Walton noloader at gmail.com
Wed Nov 25 11:39:11 EST 2015


On Wed, Nov 25, 2015 at 9:16 AM, Dave Howe
<davehowe.pentesting at gmail.com> wrote:
> On 25/11/2015 12:59, Florian Schütz wrote:
>> This is true for Chrome and, I think, for Firefox as well. Some
>> enterprises insist on MITMing TLS connections at a proxy, and at least
>> Chrome will not break this. They argue if they were to strictly
>> enforce Pins, people would just switch to a more permissive browser. I
>> agree with their line of thought.
> Yup. Firefox of course isn't aware of this Dell key, as it is in the
> windows keystore, so will fail to validate such a certificate....

Chrome will fall victim because they use the OS store
(http://www.chromium.org/Home/chromium-security/root-ca-policy)...

Chrome will even break a known good pinset. Priorities of
Constituencies and all the other web/security model goodness
(http://www.w3.org/TR/html-design-principles/#priority-of-constituencies)...

Jeff


More information about the cryptography mailing list