<p dir="ltr">Also, Comodo might want to tell us what is going on here:</p>
<p dir="ltr"><a href="http://news.softpedia.com/news/Comodo-s-PrivDog-Breaks-HTTPS-Security-Possibly-Worse-than-Superfish-473968.shtml">http://news.softpedia.com/news/Comodo-s-PrivDog-Breaks-HTTPS-Security-Possibly-Worse-than-Superfish-473968.shtml</a></p>
<div class="gmail_quote">On Feb 23, 2015 11:05, "Ryan Sleevi" <<a href="mailto:sleevi@google.com">sleevi@google.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Mon, Feb 23, 2015 at 10:41 AM, Bruce Morton <<a href="mailto:bruce.morton@entrust.com">bruce.morton@entrust.com</a>> wrote:<br>
> Have we just come across an issue with operating systems/browsers and<br>
> private roots?<br>
><br>
<br>
Yes<br>
<br>
><br>
><br>
> I suppose an attacker can install proxy software with their private root and<br>
> examine all secured traffic. We don’t need Lenovo to install this software,<br>
> this could easily be done by any corner-store computer shop.<br>
><br>
<br>
Correct<br>
<br>
><br>
><br>
> Should private roots get the same trust indication as public trust roots?<br>
><br>
<br>
Yes.<br>
<br>
><br>
><br>
> Public key pinning didn’t even catch this issue as the private root seems to<br>
> be trusted more than the public trust roots are.<br>
<br>
Correct, because public key pinning is not designed to catch such<br>
issues, as it cannot catch such issues.<br>
<br>
<a href="http://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-" target="_blank">http://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-</a><br>
<br>
><br>
><br>
><br>
> Thanks, Bruce.<br>
><br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
</blockquote></div>