Mozilla have announced that Firefox 32 does public key pinning: http://monica-at-mozilla.blogspot.co.uk/2014/08/firefox-32-supports-public-key-pinning.html
Obviously this has the potential to render SSL-bump considerably less useful. At the moment it seems to be restricted to a small number of domains, but that's sure to increase.
Whilst I support the idea of ensuring that traffic isn't surreptitiously intercepted, there are legitimate instances where interception is necessary *and* the user is fully aware that it is happening (and has therefore imported the proxy's CA certificate into their key chain). So I'm wondering if there is any kind of workaround to keep SSL-bump working with these sites?
1. It seems to me that imported CA certs should have some kind of flag associated with them to indicate that they should be trusted even for pinned domains. 2. I'm guessing that this is not an issue for devices that *always* go through an intercepting proxy, since presumably they would never get to see the real cert, so wouldn't pin it? So this is mainly an issue for devices that move between networks?
-- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:st...@opendium.com Email: st...@opendium.com Phone: sip:st...@opendium.com Sales / enquiries contacts: Email: sa...@opendium.com Phone: +44-844-9791439 / sip:sa...@opendium.com Support contacts: Email: supp...@opendium.com Phone: +44-844-4844916 / sip:supp...@opendium.com
