Re: [squid-users] SSL Bump and certificate pinning from Antony Stone on 2014-09-01 (squid-users)

From: Antony Stone <Antony.Stone_at_squid.open.source.it>
Date: Mon, 1 Sep 2014 12:19:49 +0200

On Monday 01 September 2014 at 12:07:57 (EU time), Steve Hill wrote:

> Mozilla have announced that Firefox 32 does public key pinning:
> http://monica-at-mozilla.blogspot.co.uk/2014/08/firefox-32-supports-public-
> key-pinning.html
>
> Obviously this has the potential to render SSL-bump considerably less
> useful. At the moment it seems to be restricted to a small number of
> domains, but that's sure to increase.
>
> Whilst I support the idea of ensuring that traffic isn't surreptitiously
> intercepted, there are legitimate instances where interception is
> necessary *and* the user is fully aware that it is happening (and has
> therefore imported the proxy's CA certificate into their key chain). So
> I'm wondering if there is any kind of workaround to keep SSL-bump
> working with these sites?

From https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning

Starting with FF 32, it's on by default, so you don't have to do anything. The
pinning level is enforced by a pref, security.cert_pinning.enforcement_level

0. Pinning disabled
1. Allow User MITM (pinning not enforced if the trust anchor is a user
inserted CA, default)
2. Strict. Pinning is always enforced.
3. Enforce test mode.

That seems to me to say that if the root of the certificate chain is a user-
added cert, pinning will not be enforced, therefore the user isn't affected?

> 1. It seems to me that imported CA certs should have some kind of flag
> associated with them to indicate that they should be trusted even for
> pinned domains.
> 2. I'm guessing that this is not an issue for devices that *always* go
> through an intercepting proxy, since presumably they would never get to
> see the real cert, so wouldn't pin it? So this is mainly an issue for
> devices that move between networks?

Regards,

Antony.

-- 
Tinned food was developed for the British Navy in 1813.
The tin opener was not invented until 1858.
                                                   Please reply to the list;
                                                         please *don't* CC me.

Received on Mon Sep 01 2014 - 10:20:00 MDT

This archive was generated by hypermail 2.2.0 : Mon Sep 01 2014 - 12:00:05 MDT