On Wed, Nov 25, 2015 at 9:16 AM, Dave Howe <[email protected]> wrote: > On 25/11/2015 12:59, Florian Schütz wrote: >> This is true for Chrome and, I think, for Firefox as well. Some >> enterprises insist on MITMing TLS connections at a proxy, and at least >> Chrome will not break this. They argue if they were to strictly >> enforce Pins, people would just switch to a more permissive browser. I >> agree with their line of thought. > Yup. Firefox of course isn't aware of this Dell key, as it is in the > windows keystore, so will fail to validate such a certificate....
Chrome will fall victim because they use the OS store (http://www.chromium.org/Home/chromium-security/root-ca-policy)... Chrome will even break a known good pinset. Priorities of Constituencies and all the other web/security model goodness (http://www.w3.org/TR/html-design-principles/#priority-of-constituencies)... Jeff _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
