You are right. “Firefox and Chrome disable pin validation for pinned hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored.” [1]
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning On Sun, Jul 28, 2019 at 2:07 PM Alex Monk <kren...@gmail.com> wrote: > Correct me if I'm wrong but I believe browsers always ignored HPKP rules > when presented with a cert signed by a CA that is locally installed rather > than default. > > On Sun, 28 Jul 2019, 12:58 John Erling Blad, <jeb...@gmail.com> wrote: > > > The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but > > Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the > > MITM attack possible, by forcing the users to install the root > certificate, > > as many of the sites listed has been on the HPKP list. With HPKP in place > > the scheme would be somewhat harder to implement. > > > > [1] https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning > > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438 > > > > On Fri, Jul 26, 2019 at 3:05 PM Yury Bulka < > > setthemf...@privacyrequired.com> > > wrote: > > > > > I don't see any position from Mozilla on this yet: > > > https://bugzilla.mozilla.org/show_bug.cgi?id=1567114 > > > > > > > > > https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhACo3E > > > > > > Couldn't find anything about Google Chrome. > > > > > > Meanwhile, I have emailed secur...@wikimedia.org with a link to this > > > discussion (hope it's not a terribly inappropriate thing to do). > > > > > > I'd be great to hear from WMF about their view on this. > > > > > > Best, > > > Yury. > > > > > > Yury Bulka <setthemf...@privacyrequired.com> writes: > > > > > > > I'm not in Kazakhstan and am not in directly touch with any of > > > > wikimedians there, so I don't know their position. > > > > > > > > However, I'm not sure how much freedom they have in expressing their > > > > honest opinion about this publicly. Simply because it is always a > > > > pros-and-cons calculation to criticise your local goverment in such > > > > situations. > > > > > > > > Yaroslav Blanter <ymb...@gmail.com> writes: > > > > > > > >> I do not think Kazakhstan has a chapter. In the past, some Kazakh > > > >> Wikimedians enjoyed close collaboration with the government (for > > > example, > > > >> the Kazakhstani Encyclopedia has been released under a free license > > and > > > >> verbatim copied to the Kazakh Wikipedia, so that I do not expect > much. > > > >> > > > >> Cheers > > > >> Yaroslav > > > >> > > > >> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend < > > homesec1...@gmail.com > > > > > > > >> wrote: > > > >> > > > >>> Yury > > > >>> > > > >>> What is the position of the Kazakhstan chapter on this? > > > >>> > > > >>> The Turnip > > > >>> > > > >>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka > > > >>> <setthemf...@privacyrequired.com> wrote: > > > >>> > > > > >>> > I'm sure many have heard about this: > > > >>> > > > > >>> > > > > > > https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html > > > >>> > > > > >>> > Essentially, the government in Kazakhstan started forcing > citizens > > > into > > > >>> > installing a root TLS certificate on their devices that would > allow > > > the > > > >>> > government to intercept, decrypt and manipulate all HTTPS > traffic. > > > >>> > > > > >>> > Without the centificate, it seems, citizens can't access HTTPS > > pages > > > (at > > > >>> > least on some ISPs). > > > >>> > > > > >>> > I think this has serious implications for Wikipedia & Wikimedia, > as > > > not > > > >>> > only they would be easily able to see which articles people read, > > but > > > >>> > also steal login credentials, depseudonymize people and even > hijack > > > >>> > admin accounts. > > > >>> > > > > >>> > Another danger is that if this effort by Kazakhstan will succeed, > > > other > > > >>> > governments may start doing the same. > > > >>> > > > > >>> > I wonder if WMF has any position on this yet? > > > >>> > > > > >>> > Best, > > > >>> > Yury. > > > >>> > > > > >>> > _______________________________________________ > > > >>> > Wikimedia-l mailing list, guidelines at: > > > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > > > >>> https://meta.wikimedia.org/wiki/Wikimedia-l > > > >>> > New messages to: Wikimedia-l@lists.wikimedia.org > > > >>> > Unsubscribe: > > > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > > > >>> <mailto:wikimedia-l-requ...@lists.wikimedia.org > ?subject=unsubscribe> > > > >>> > > > >>> _______________________________________________ > > > >>> Wikimedia-l mailing list, guidelines at: > > > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > > > >>> https://meta.wikimedia.org/wiki/Wikimedia-l > > > >>> New messages to: Wikimedia-l@lists.wikimedia.org > > > >>> Unsubscribe: > > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > > > >>> <mailto:wikimedia-l-requ...@lists.wikimedia.org > ?subject=unsubscribe> > > > >> _______________________________________________ > > > >> Wikimedia-l mailing list, guidelines at: > > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > > > https://meta.wikimedia.org/wiki/Wikimedia-l > > > >> New messages to: Wikimedia-l@lists.wikimedia.org > > > >> Unsubscribe: > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l > > , > > > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > > > > > > > > _______________________________________________ > > > > Wikimedia-l mailing list, guidelines at: > > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > > > https://meta.wikimedia.org/wiki/Wikimedia-l > > > > New messages to: Wikimedia-l@lists.wikimedia.org > > > > Unsubscribe: > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > > > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > > > > > > > > > _______________________________________________ > > > Wikimedia-l mailing list, guidelines at: > > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > > > https://meta.wikimedia.org/wiki/Wikimedia-l > > > New messages to: Wikimedia-l@lists.wikimedia.org > > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > > > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > > _______________________________________________ > > Wikimedia-l mailing list, guidelines at: > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > > https://meta.wikimedia.org/wiki/Wikimedia-l > > New messages to: Wikimedia-l@lists.wikimedia.org > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > _______________________________________________ > Wikimedia-l mailing list, guidelines at: > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > https://meta.wikimedia.org/wiki/Wikimedia-l > New messages to: Wikimedia-l@lists.wikimedia.org > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>