Oh, and before anyone ask, certificate pinning is probably irrelevant for user added certificates https://www.imperialviolet.org/2011/05/04/pinning.html
*What about MITM proxies, Fiddler etc?* There are a number of cases where HTTPS connections are intercepted by using local, ephemeral certificates. These certificates are signed by a root certificate that has to be manually installed on the client. Corporate MITM proxies may do this, several anti-virus/parental control products do this and debugging tools like Fiddler can also do this. Since we cannot break in these situations, user installed root CAs are given the authority to override pins. We don't believe that there will be any incompatibility issues. On Fri, Aug 2, 2013 at 3:17 PM, Elazar Leibovich <[email protected]> wrote: > Hi, > > I'm maintaining a small HTTP proxy library that allows you to eavesdrop > HTTP requests. Someone reported a bug which I cannot recreate, so I'm > trying my luck here. [repost from golang-nuts, where I didn't get an > answer]. > > It seems to work on my machine, but a user still complain. > https://github.com/elazarl/goproxy/issues/15 > > I could use two forms of help: > > 1) Test it on your environment and report the results. > > $ mkdir ~/gopath2 > $ GOPATH=~/gopath2 go get github.com/elazarl/goproxy/examples/eavesdropper > $ # add ~/gopath2/src/github.com/elazarl/goproxy/ca.cert as a root CA to > your browser > $ ~/gopath2/bin/eavesdropper > # use HTTP proxy at localhost:8080, browse to a https site, and see if you > get warnings > > 2) Generally speaking, I don't really know too much cryptography in > general, or TLS/SSL in particular. If you do, have a look at the code and > explain my mistakes. > Most of the logic is here: > https://github.com/elazarl/goproxy/blob/master/signer.go > > The way it does that is: > 1) goproxy have a builtin CA certificate, hard coded into a variable. It's > generated with http://golang.org/src/pkg/crypto/tls/generate_cert.go > 2) Given a CONNECT foo.com:443 proxy request, it would: > 3) Generate a certificate for foo.com and sign it with the builtin CA, > 4) Submit this certificate with the certificate chain: [new_cert, CA], > using crypto/tls package. >
_______________________________________________ Linux-il mailing list [email protected] http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
