[Remed]

You can create a self-signed certificate for Google domains and trust it on your machines. Then you can MITM. This won't work well if you want to do it at a scale, with a number of 3rd party users, but if the only user is you or your family, it should do the trick.

[inetknght]

> You can create a self-signed certificate for Google domains and trust it on your machines. Then you can MITM.

Can you point to or write up a blog post with a proof of concept?

[cpach]

mkcert[1] is probably the easiest way to generate root certificate and leaf certificate(s). Then you can use a proxy like Squid to intercept the traffic[2]. You’d also need a local DNS server to point hosts like fonts.googleapis.com to your own web server.

https://github.com/FiloSottile/mkcert

https://turbofuture.com/internet/Intercepting-HTTPS-Traffic-...

[Edit: Now that I think of it, I’m not sure if Squid is really required...]

[edf13]

Won’t work for Google as their Cets are pinned

[Gregordinary]

Not sure about other browsers, but Chrome will ignore certificate pins if the cert provided chains to local trust anchor.

From: http://www.chromium.org/Home/chromium-security/security-faq#...

"Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor. A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites. “Data loss prevention” appliances, firewalls, content filters, and malware can use this feature to defeat the protections of key pinning.

We deem this acceptable because the proxy or MITM can only be effective if the client machine has already been configured to trust the proxy’s issuing certificate — that is, the client is already under the control of the person who controls the proxy (e.g. the enterprise’s IT administrator). If the client does not trust the private trust anchor, the proxy’s attempt to mediate the connection will fail as it should."

[cpach]

Does anyone know how Chrome does do distinguish a private trust anchor from all the other root certificates that are provided by the operating system? (Comodo, Comsign, Digicert et al)