[pilif]

Chrome does not warn if the non-official root certificate is custom installed on the local machine. It needs to do this because of the various corporate web filters and anti virus tools that MITM connections too.

Maybe this is a practice that needs to stop. Malware scanners can scan on the local machine after the browser has decrypted the communication and web filtering, I think, is nothing but a sign of mistrust against the users.

[AnthonyMouse]

> Maybe this is a practice that needs to stop. Malware scanners can scan on the local machine after the browser has decrypted the communication and web filtering, I think, is nothing but a sign of mistrust against the users.

It's really kind of a giant security vulnerability. If an attacker can compromise the machine doing the MITM on all the encrypted connections then they get every password and credit card number for every user in your company for every website.

[harryjo]

Sure, but once you allow local administrator access to your machine, the "guest" can modify your data and software however it wants, so you've already lost.

[userbinator]

web filtering, I think, is nothing but a sign of mistrust against the users.

What if it's the user who wants this filtering?

I run a local proxy that MITMs to filter out ads, tracking scripts, and other undesirable things. It works in all the browsers I use regularly, and any browsers that happen to be embedded in apps, because this way the stuff I want filtered out never even reaches the browser.

[pestaa]

Can you please tell more about your setup? Why a handful of browser plugins were not enough in your case?

[Immortalin]

Filtering reverse proxies e.g. privoxy have an advantage over browser plugins as they work on the network level instead on the DOM. This means that it work as an universal adblock regardless of what OS or browser you are running. It's especially useful when you are on mobile safari or chrome as they don't support adblocks.

[zurn]

The only way Google "needs" to collude with corporate MITM tools is its desire to court user base from corporate IT depts (allowed de jure in many countries that have weak privacy legislation).

Usually Chrome is eager to show security-related notifications but for this there isn't even a yellow notification bar with "OK, got it" option.

[josteink]

I think this is another example of how Google clearly puts its own interests ahead of its users.

Google wants to further promote it's closed Chrome ecosystem, and to do that it needs to gain corporate support, for among other things, its Chromebooks and ChromeOS platform.

And it's obviously more important to appease corporate IT than to protect users security.

Built in Google-spying and now, support for corporate spying too? I wouldn't trust a Chromebook as far as I can throw it.

[mike_hearn]

That's a very impressive case of double think.

Google codes Chrome in order to make it more useful for various kinds of customers, such as customers who have virus scanners.

And this becomes "Google putting its own interests ahead of its users"?

Back here in reality, that's called the customer is always right and is a fundamental tenet of business.

[cookiecaper]

There are many legitimate reasons to MITM web traffic. We don't need to disallow the practice, we need to build a framework that contemplates this need and provides a robust, stable architecture for it which makes it easy to distinguish between good listeners and bad listeners.

[chinathrow]

Yes, "It needs to do this because of the various corporate web filters and anti virus tools that MITM connections too." <-- this has to go away the sooner the better. Even corporations with a large interest in MITMing their employees (mostly banks, mil, gov) should realize, that this is bad security practice and will lead to all sort of other problems

Banks... imagine the irony.

[mcbridematt]

Perhaps Chrome's MITM detection should only ignore private certs (for web filtering) if configured so via Group Policy or similar mechanism?