Google sites are pinned chrome !!!!
56 views
Skip to first unread message
zglo...@beame.io
May 27, 2016, 8:38:08 AM5/27/16
to Security-dev
Hello
I have been playing with the pinning option and have just configured mitmproxy and instituted an evil hotspot. Evil CA has bene installed in the computer root trust.
I have been playing with the pinning option and have just configured mitmproxy and instituted an evil hotspot. Evil CA has bene installed in the computer root trust.
The I logged into my gmail account NO HARD FAIL. Does anybody want to take a look? I was able to see my google password, and obrain a login I am running 50.0.2661.102 chrome ?
Ideas?
Alex Gaynor
May 27, 2016, 8:39:05 AM5/27/16
to zglo...@beame.io, Security-dev
Locally installed certs override key pins: https://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-
Alex
--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
"I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6
Zeev Glozman
May 27, 2016, 8:53:42 AM5/27/16
to Security-dev
So to test the actual failure, I would have to sign as a public CA. When removing the evil ca, off course the browser fails on domain.
How can i make it fail and see that it works without signing as a public ca? I guess just changing a certificate not to a pinned one?
thank you
--
You received this message because you are subscribed to a topic in the Google Groups "Security-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/security-dev/1gK3koNGdx4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-dev...@chromium.org.
Joe Mason
May 27, 2016, 10:58:50 AM5/27/16
to Zeev Glozman, Security-dev
You could get a free publicly signed cert from https://letsencrypt.org/
Torne (Richard Coles)
May 27, 2016, 12:31:26 PM5/27/16
to Joe Mason, Zeev Glozman, Security-dev
Not for gmail.com you can't ;)
Zeev Glozman
May 27, 2016, 12:34:30 PM5/27/16
to Torne (Richard Coles), Joe Mason, Security-dev
Ok I am slow. so I need two certs for the same domain pin one, and the other should fail right ?
Sent from my iPhone
Sent from my iPhone
Torne (Richard Coles)
May 27, 2016, 12:42:06 PM5/27/16
to Zeev Glozman, Joe Mason, Security-dev
Yes, if you get two certs issued by different CAs for the same domain that you control, and pin one of them, then switching the server to use the other one should cause a failure.
Reply all
Reply to author
Forward
0 new messages