1 |
On Tue, Jun 1, 2021 at 11:29 PM Rich Freeman <rich0@g.o> wrote: |
2 |
|
3 |
> On Tue, Jun 1, 2021 at 7:59 AM Adam Carter <adamcarter3@×××××.com> wrote: |
4 |
> >> |
5 |
> >> And another "wondering" - all the warnings about trusting self signed |
6 |
> >> certs seem a bit self serving. Yes, they are trying to certify who you |
7 |
> >> are, but at the expense of probably allowing access to your |
8 |
> >> communications by "authorised parties" (such as commercial entities |
9 |
> >> purchasing access for MITM access - e.g. certain router/firewall |
10 |
> >> companies doing deep inspection of SSL via resigning or owning both end |
11 |
> >> points). |
12 |
> > |
13 |
> > AFAIK in an enterprise MITM works by having a local CA added to the cert |
14 |
> stores of the workstation fleet, and having that CA auto generate the certs |
15 |
> for MITM. That didn't work with certificate pinning, but pinning has been |
16 |
> deprecated. |
17 |
> |
18 |
> So, I don't know all the ways that pinning is implemented, but if |
19 |
> you're talking about using MITM to snoop on enterprise devices on the |
20 |
> enterprise network I'd think that pinning wouldn't be an issue, |
21 |
> because you control the devices from cradle to grave. Just ensure the |
22 |
> pinned certificates are the ones that let you MITM the connections. |
23 |
> |
24 |
|
25 |
After seeing Grant's mention of CAA records I think I may have conflated |
26 |
pinning with them, or perhaps there were some special controls in Chrome to |
27 |
check that google certs were issued by the correct CA? Sorry i'm not clear |
28 |
on this now (and may have never been). |