[GauntletWizard]

(3) Google; Chrome has a rather sophisticated mechanism for detecting MITM attacks, in that it's distributed with pinned certs for several Google properties, and phones home with reports of errors it receives. This is how the DigiNotar leak[1] was discovered.

Perhaps because it was persistent and on the TCP stack level the phonehomes never succeeded? The retry logic should be robust enough to try to deliver the fraud list anyway, even if it will only accept that it has been delivered after a secured connection is restored.

[1] http://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulen...

[pilif]

Chrome does not warn if the non-official root certificate is custom installed on the local machine. It needs to do this because of the various corporate web filters and anti virus tools that MITM connections too.

Maybe this is a practice that needs to stop. Malware scanners can scan on the local machine after the browser has decrypted the communication and web filtering, I think, is nothing but a sign of mistrust against the users.

[AnthonyMouse]

> Maybe this is a practice that needs to stop. Malware scanners can scan on the local machine after the browser has decrypted the communication and web filtering, I think, is nothing but a sign of mistrust against the users.

It's really kind of a giant security vulnerability. If an attacker can compromise the machine doing the MITM on all the encrypted connections then they get every password and credit card number for every user in your company for every website.

[harryjo]

Sure, but once you allow local administrator access to your machine, the "guest" can modify your data and software however it wants, so you've already lost.

[userbinator]

web filtering, I think, is nothing but a sign of mistrust against the users.

What if it's the user who wants this filtering?

I run a local proxy that MITMs to filter out ads, tracking scripts, and other undesirable things. It works in all the browsers I use regularly, and any browsers that happen to be embedded in apps, because this way the stuff I want filtered out never even reaches the browser.

[pestaa]

Can you please tell more about your setup? Why a handful of browser plugins were not enough in your case?

[Immortalin]

Filtering reverse proxies e.g. privoxy have an advantage over browser plugins as they work on the network level instead on the DOM. This means that it work as an universal adblock regardless of what OS or browser you are running. It's especially useful when you are on mobile safari or chrome as they don't support adblocks.

[zurn]

The only way Google "needs" to collude with corporate MITM tools is its desire to court user base from corporate IT depts (allowed de jure in many countries that have weak privacy legislation).

Usually Chrome is eager to show security-related notifications but for this there isn't even a yellow notification bar with "OK, got it" option.

[josteink]

I think this is another example of how Google clearly puts its own interests ahead of its users.

Google wants to further promote it's closed Chrome ecosystem, and to do that it needs to gain corporate support, for among other things, its Chromebooks and ChromeOS platform.

And it's obviously more important to appease corporate IT than to protect users security.

Built in Google-spying and now, support for corporate spying too? I wouldn't trust a Chromebook as far as I can throw it.

[mike_hearn]

That's a very impressive case of double think.

Google codes Chrome in order to make it more useful for various kinds of customers, such as customers who have virus scanners.

And this becomes "Google putting its own interests ahead of its users"?

Back here in reality, that's called the customer is always right and is a fundamental tenet of business.

[cookiecaper]

There are many legitimate reasons to MITM web traffic. We don't need to disallow the practice, we need to build a framework that contemplates this need and provides a robust, stable architecture for it which makes it easy to distinguish between good listeners and bad listeners.

[chinathrow]

Yes, "It needs to do this because of the various corporate web filters and anti virus tools that MITM connections too." <-- this has to go away the sooner the better. Even corporations with a large interest in MITMing their employees (mostly banks, mil, gov) should realize, that this is bad security practice and will lead to all sort of other problems

Banks... imagine the irony.

[mcbridematt]

Perhaps Chrome's MITM detection should only ignore private certs (for web filtering) if configured so via Group Policy or similar mechanism?

[josteink]

> Chrome has a rather sophisticated mechanism for detecting MITM attacks

Which obviously didn't work here, as Chrome was one of the most affected targets.

Firefox on the other hand, was more or less absent altogether. I know which browser I will trust.

[TazeTSchnitzel]

Superfish will infect Fx also, it's just that Lenovo didn't pre-install Fx and the installer only runs once.

[josteink]

If you install superfish and then chrome, you will be affected. If you install superfish, then Firefox, you won't.

Thus Firefox is the more secure browser.

[mike_hearn]

Superfish is not a man in the middle, by definition. It's running on your local computer. That's not the middle. That's the start. Consider that Superfish could have just done binary patching on the browser binaries instead of fiddling the local SSL configuration ... it's put there by the computer manufacturer so they can do anything they like.

[wampus]

It's called a "man in the middle" because it intercepts connections between the source and destination. The physical location is irrelevant.

[nothrabannosir]

That list is public; if you are in the business of writing these proxies anyway, fetching that list and using it as do-not-mitm exceptions is not a stretch. Which, unfortunately, defeats this nice side-effect of certificate pinning. People could have learned from the Diginotar mistake (being: mitm'ing ssl-pinned certs).