Hacker News new | past | comments | ask | show | jobs | submit login

I wonder if they also proxy stuff like the Google endpoints where chrome does key pinning, or if they whitelist those. I imagine other large systems like those of facebook (when using the app) and Apple are actively remembering what the keys are supposed to look like. That would mean that even a custom CA wouldn't allow carte blanche MITM.



Chrome will disable key pinning for CAs that are user installed rather than system provided (to support companies/schools who want to MITM for slightly less draconian reasons).

I do wonder if Chrome will go to requiring CAs for this purpose be deployed via something more “enterprise” (e.g. custom extensions on Windows need to deployed via group policy now).


AFAIK, Chrome on Windows doesn’t manage root certificates, it just utilises Windows’ own cert store (certmgr).


I think you misunderstood the parent comment :)

Regardless of where the cert store is, it came with some CA certs "in the box". Pinning applies to these CAs. Any CA's added by the end user (aka person at the keyboard, or enterprise admins, etc) bypass pinning.

For better or worse, bypassing of pinning is required in some enterprise scenarios to inspect traffic leaving the network. e.g. Is someone attaching all our customer data to a email in gmail? To know that, I need to MITM mail.google.com.

Sadly, this mechanism does get abused :(


”Any CA's added by the end user (aka person at the keyboard, or enterprise admins, etc) bypass pinning.”

But how would Chrome know if a root cert from Windows’ cert store was added by the user or not? They would all be located in the ”Trusted Root Certification Authorities” container.


Yeah, no. This is Windows.

"The" Trusted Root Certification Authorities store isn't a real thing, it's just a view onto a bunch of different stores that are actually separate, including a local machine store and per-user stores plus of course stores added by your membership of a domain or other grouping.

So Chrome gets to distinguish between certificates that Microsoft added and the ones added by Group Policy or whatever else to your system.


Oh! I should’ve known it was all stored in the registry. As you say, this is Windows after all. Found some MS docs that look relevant: https://docs.microsoft.com/en-gb/windows/win32/seccrypto/sys...




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: