Hi Chris, I've had a few days to think about this...
>> If correct, won't that break Chrome with respect to >> http://www.imperialviolet.org/2011/05/04/pinning.html (see section >> "What about MITM proxies, Fiddler etc?")? > > Section 2.6: > > """ For example, a UA may disable Pin Validation for Pinned Hosts > whose validated certificate chain terminates at a user-defined trust > anchor, rather than a trust anchor built-in to the UA (or underlying > platform).""" > > So that's how you make Fiddler work, among other things. This is where I am concerned: user-defined. I thinks its a mistake to claim the user defined anything under most circumstances and use cases. Its not clear to me where the user makes a well informed decision. The uncommon case is the pen-tester or researcher using the proxy tools. In this use case, the user clearly made the decision, and clearly defined the trust anchor. I think the more common cases of "I want to use my device at work" or "I must click through the buttons to use the wifi hotspot" is devoid of any user understanding and decision. In this use case, the user did not define a trust anchor. Rather, it was surreptitiously installed by the device management software or unscrupulous service providers. In fact, the "user's decision" was likely hidden away in a Terms of Service when Nokia was caught performing intercept en masse [0]. In this case, the user clearly did not define anything. Rather, the handset manufacture made the decision for the user. Is there anything that can be done to address the gap? [0] http://web.archive.org/web/20140127075723/http://falkvinge.net/2013/01/11/death-twitches-nokia-caught-wiretapping-encrypted-traffic-from-its-handsets/ _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
