Mozilla have announced that Firefox 32 does public key pinning:
http://monica-at-mozilla.blogspot.co.uk/2014/08/firefox-32-supports-public-key-pinning.html
Obviously this has the potential to render SSL-bump considerably less
useful. At the moment it seems to be restricted to a small number of
domains, but that's sure to increase.
Whilst I support the idea of ensuring that traffic isn't surreptitiously
intercepted, there are legitimate instances where interception is
necessary *and* the user is fully aware that it is happening (and has
therefore imported the proxy's CA certificate into their key chain). So
I'm wondering if there is any kind of workaround to keep SSL-bump
working with these sites?
1. It seems to me that imported CA certs should have some kind of flag
associated with them to indicate that they should be trusted even for
pinned domains.
2. I'm guessing that this is not an issue for devices that *always* go
through an intercepting proxy, since presumably they would never get to
see the real cert, so wouldn't pin it? So this is mainly an issue for
devices that move between networks?
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:steve@xxxxxxxxxxxx
Email: steve@xxxxxxxxxxxx
Phone: sip:steve@xxxxxxxxxxxx
Sales / enquiries contacts:
Email: sales@xxxxxxxxxxxx
Phone: +44-844-9791439 / sip:sales@xxxxxxxxxxxx
Support contacts:
Email: support@xxxxxxxxxxxx
Phone: +44-844-4844916 / sip:support@xxxxxxxxxxxx
