|
|
|
|
|
|
by schoen
4132 days ago
|
|
|
Maybe it triggers the logic that allows (supposedly) user-added certs to override those pins? (Google was pressured into adding such logic by corporate users, whose IT departments want to -- supposedly openly -- MITM employees' connections.) Edit: I think that's the case. AGL's original announcement of pinning said: "There are a number of cases where HTTPS connections are intercepted by using local, ephemeral certificates. These certificates are signed by a root certificate that has to be manually installed on the client. Corporate MITM proxies may do this, several anti-virus/parental control products do this and debugging tools like Fiddler can also do this. Since we cannot break in these situations, user installed root CAs are given the authority to override pins. We don't believe that there will be any incompatibility issues." https://www.imperialviolet.org/2011/05/04/pinning.html If Chrome thinks that this was a "user installed root CA", it would have been allowed to override the pin. (Disclaimer: I haven't checked that this is right, I'm just using my recollection of how this could work according to AGL's account.) |
|
|
"openly"? Why doesn't the user see that a fake certificate is being used then? There is no excuse for not showing a big fat warning.
This only shows which side Google is really on when it's evil corporations vs. you, the user.