From: Adam Carter <adamcarter3@gmail.com>
To: Gentoo User <gentoo-user@lists.gentoo.org>
Subject: Re: [gentoo-user] app-misc/ca-certificates
Date: Thu, 3 Jun 2021 19:06:21 +1000 [thread overview]
Message-ID: <CAC=wYCHDq0Ft254nYTt2s8kchd-GwBdoNzSun9zY0XOvb5C1DQ@mail.gmail.com> (raw)
In-Reply-To: <CAGfcS_kDzG_uQyAw_oBv75eLsjQ-9k7yFnJntyE_k6Z72T80hQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1469 bytes --]
On Tue, Jun 1, 2021 at 11:29 PM Rich Freeman <rich0@gentoo.org> wrote:
> On Tue, Jun 1, 2021 at 7:59 AM Adam Carter <adamcarter3@gmail.com> wrote:
> >>
> >> And another "wondering" - all the warnings about trusting self signed
> >> certs seem a bit self serving. Yes, they are trying to certify who you
> >> are, but at the expense of probably allowing access to your
> >> communications by "authorised parties" (such as commercial entities
> >> purchasing access for MITM access - e.g. certain router/firewall
> >> companies doing deep inspection of SSL via resigning or owning both end
> >> points).
> >
> > AFAIK in an enterprise MITM works by having a local CA added to the cert
> stores of the workstation fleet, and having that CA auto generate the certs
> for MITM. That didn't work with certificate pinning, but pinning has been
> deprecated.
>
> So, I don't know all the ways that pinning is implemented, but if
> you're talking about using MITM to snoop on enterprise devices on the
> enterprise network I'd think that pinning wouldn't be an issue,
> because you control the devices from cradle to grave. Just ensure the
> pinned certificates are the ones that let you MITM the connections.
>
After seeing Grant's mention of CAA records I think I may have conflated
pinning with them, or perhaps there were some special controls in Chrome to
check that google certs were issued by the correct CA? Sorry i'm not clear
on this now (and may have never been).
[-- Attachment #2: Type: text/html, Size: 2002 bytes --]
next prev parent reply other threads:[~2021-06-03 9:06 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-29 1:08 [gentoo-user] app-misc/ca-certificates zcampe
2021-05-29 6:26 ` Walter Dnes
2021-06-01 4:45 ` J. Roeleveld
2021-06-01 5:15 ` William Kenworthy
2021-06-01 10:44 ` Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates) karl
2021-06-01 11:17 ` J. Roeleveld
2021-06-01 11:40 ` Michael Orlitzky
2021-06-01 12:02 ` Peter Humphrey
2021-06-01 12:16 ` Michael Orlitzky
2021-06-01 12:24 ` Peter Humphrey
2021-06-01 13:22 ` Rich Freeman
2021-06-01 13:17 ` karl
2021-06-01 13:20 ` karl
2021-06-01 13:17 ` karl
2021-06-01 11:59 ` [gentoo-user] app-misc/ca-certificates Adam Carter
2021-06-01 13:29 ` Rich Freeman
2021-06-02 1:13 ` William Kenworthy
2021-06-03 9:06 ` Adam Carter [this message]
2021-06-01 21:25 ` Grant Taylor
2021-06-01 21:38 ` Michael Orlitzky
2021-06-02 1:51 ` Grant Taylor
2021-06-02 7:21 ` J. Roeleveld
2021-06-02 20:22 ` Grant Taylor
2021-06-02 7:48 ` Fannys
2021-06-02 20:23 ` Grant Taylor
2021-06-01 22:28 ` Fannys
2021-06-02 7:23 ` J. Roeleveld
2021-06-01 21:05 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAC=wYCHDq0Ft254nYTt2s8kchd-GwBdoNzSun9zY0XOvb5C1DQ@mail.gmail.com' \
--to=adamcarter3@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox