Hacker News new | past | comments | ask | show | jobs | submit login

AFAIK, Chrome on Windows doesn’t manage root certificates, it just utilises Windows’ own cert store (certmgr).

I think you misunderstood the parent comment :)

Regardless of where the cert store is, it came with some CA certs "in the box". Pinning applies to these CAs. Any CA's added by the end user (aka person at the keyboard, or enterprise admins, etc) bypass pinning.

For better or worse, bypassing of pinning is required in some enterprise scenarios to inspect traffic leaving the network. e.g. Is someone attaching all our customer data to a email in gmail? To know that, I need to MITM mail.google.com.

Sadly, this mechanism does get abused :(

”Any CA's added by the end user (aka person at the keyboard, or enterprise admins, etc) bypass pinning.”

But how would Chrome know if a root cert from Windows’ cert store was added by the user or not? They would all be located in the ”Trusted Root Certification Authorities” container.

Yeah, no. This is Windows.

"The" Trusted Root Certification Authorities store isn't a real thing, it's just a view onto a bunch of different stores that are actually separate, including a local machine store and per-user stores plus of course stores added by your membership of a domain or other grouping.

So Chrome gets to distinguish between certificates that Microsoft added and the ones added by Group Policy or whatever else to your system.

Oh! I should’ve known it was all stored in the registry. As you say, this is Windows after all. Found some MS docs that look relevant: https://docs.microsoft.com/en-gb/windows/win32/seccrypto/sys...

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact