On Monday 01 September 2014 at 12:07:57 (EU time), Steve Hill wrote: > Mozilla have announced that Firefox 32 does public key pinning: > http://monica-at-mozilla.blogspot.co.uk/2014/08/firefox-32-supports-public- > key-pinning.html > > Obviously this has the potential to render SSL-bump considerably less > useful. At the moment it seems to be restricted to a small number of > domains, but that's sure to increase. > > Whilst I support the idea of ensuring that traffic isn't surreptitiously > intercepted, there are legitimate instances where interception is > necessary *and* the user is fully aware that it is happening (and has > therefore imported the proxy's CA certificate into their key chain). So > I'm wondering if there is any kind of workaround to keep SSL-bump > working with these sites? >From https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning Starting with FF 32, it's on by default, so you don't have to do anything. The pinning level is enforced by a pref, security.cert_pinning.enforcement_level 0. Pinning disabled 1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default) 2. Strict. Pinning is always enforced. 3. Enforce test mode. That seems to me to say that if the root of the certificate chain is a user- added cert, pinning will not be enforced, therefore the user isn't affected? > 1. It seems to me that imported CA certs should have some kind of flag > associated with them to indicate that they should be trusted even for > pinned domains. > 2. I'm guessing that this is not an issue for devices that *always* go > through an intercepting proxy, since presumably they would never get to > see the real cert, so wouldn't pin it? So this is mainly an issue for > devices that move between networks? Regards, Antony. -- Tinned food was developed for the British Navy in 1813. The tin opener was not invented until 1858. Please reply to the list; please *don't* CC me.
