[cryptography] This is bad. THis is really bad. (Isn't it?)

mtm marctmiller at gmail.com
Wed Nov 25 12:03:02 EST 2015


fear not, mikey d is on it:

http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/11/23/response-to-concerns-regarding-edellroot-certificate

due diligence aside, wats with dell and pfx files?

https://support.software.dell.com/sonicwall-email-security/kb/sw10754
On Nov 25, 2015 10:39 AM, "Jeffrey Walton" <noloader at gmail.com> wrote:

> On Wed, Nov 25, 2015 at 9:16 AM, Dave Howe
> <davehowe.pentesting at gmail.com> wrote:
> > On 25/11/2015 12:59, Florian Schütz wrote:
> >> This is true for Chrome and, I think, for Firefox as well. Some
> >> enterprises insist on MITMing TLS connections at a proxy, and at least
> >> Chrome will not break this. They argue if they were to strictly
> >> enforce Pins, people would just switch to a more permissive browser. I
> >> agree with their line of thought.
> > Yup. Firefox of course isn't aware of this Dell key, as it is in the
> > windows keystore, so will fail to validate such a certificate....
>
> Chrome will fall victim because they use the OS store
> (http://www.chromium.org/Home/chromium-security/root-ca-policy)...
>
> Chrome will even break a known good pinset. Priorities of
> Constituencies and all the other web/security model goodness
> (http://www.w3.org/TR/html-design-principles/#priority-of-constituencies).
> ..
>
> Jeff
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20151125/bdd2186b/attachment.html>


More information about the cryptography mailing list