| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by awj 2417 days ago

> or (2) the user to install a certificate generated by the person doing the MITM

You mean like that "setup software" Comcast spent ages trying to pretend I had to install just to get things running?

I ran Linux in those days, which always meant a little extra support time but I never had to install jack.

1 comments

jimktrains2 2417 days ago

That's quite possible, but many apps and browsers pin certificates and this would probably be reported quickly?

link

judge2020 2417 days ago

https://chromium.googlesource.com/chromium/src/+/master/docs...

> Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor. A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites.

link

jimktrains2 2417 days ago

I was going off remembering this.

> Late on December 24, Chrome detected and blocked an unauthorized digital certificate for the "*.google.com" domain.

https://security.googleblog.com/2013/01/enhancing-digital-ce...

link

LocalPCGuy 2417 days ago

Pretty sure chrome has it's own code to detect Google certs and report invalid ones back to Google.

link