| 1 |
On Tue, Jun 1, 2021 at 11:29 PM Rich Freeman <rich0@g.o> wrote: |
| 2 |
|
| 3 |
> On Tue, Jun 1, 2021 at 7:59 AM Adam Carter <adamcarter3@×××××.com> wrote: |
| 4 |
> >> |
| 5 |
> >> And another "wondering" - all the warnings about trusting self signed |
| 6 |
> >> certs seem a bit self serving. Yes, they are trying to certify who you |
| 7 |
> >> are, but at the expense of probably allowing access to your |
| 8 |
> >> communications by "authorised parties" (such as commercial entities |
| 9 |
> >> purchasing access for MITM access - e.g. certain router/firewall |
| 10 |
> >> companies doing deep inspection of SSL via resigning or owning both end |
| 11 |
> >> points). |
| 12 |
> > |
| 13 |
> > AFAIK in an enterprise MITM works by having a local CA added to the cert |
| 14 |
> stores of the workstation fleet, and having that CA auto generate the certs |
| 15 |
> for MITM. That didn't work with certificate pinning, but pinning has been |
| 16 |
> deprecated. |
| 17 |
> |
| 18 |
> So, I don't know all the ways that pinning is implemented, but if |
| 19 |
> you're talking about using MITM to snoop on enterprise devices on the |
| 20 |
> enterprise network I'd think that pinning wouldn't be an issue, |
| 21 |
> because you control the devices from cradle to grave. Just ensure the |
| 22 |
> pinned certificates are the ones that let you MITM the connections. |
| 23 |
> |
| 24 |
|
| 25 |
After seeing Grant's mention of CAA records I think I may have conflated |
| 26 |
pinning with them, or perhaps there were some special controls in Chrome to |
| 27 |
check that google certs were issued by the correct CA? Sorry i'm not clear |
| 28 |
on this now (and may have never been). |
Archives