
<p dir="ltr">Also, Comodo might want to tell us what is going on here:</p>

<p dir="ltr"><a href="http://news.softpedia.com/news/Comodo-s-PrivDog-Breaks-HTTPS-Security-Possibly-Worse-than-Superfish-473968.shtml">http://news.softpedia.com/news/Comodo-s-PrivDog-Breaks-HTTPS-Security-Possibly-Worse-than-Superfish-473968.shtml</a></p>

<div class="gmail_quote">On Feb 23, 2015 11:05, "Ryan Sleevi" <<a href="mailto:sleevi@google.com">sleevi@google.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Mon, Feb 23, 2015 at 10:41 AM, Bruce Morton <<a href="mailto:bruce.morton@entrust.com">bruce.morton@entrust.com</a>> wrote:<br>

> Have we just come across an issue with operating systems/browsers and<br>

> private roots?<br>

><br>

<br>

Yes<br>

<br>

><br>

><br>

> I suppose an attacker can install proxy software with their private root and<br>

> examine all secured traffic. We don’t need Lenovo to install this software,<br>

> this could easily be done by any corner-store computer shop.<br>

><br>

<br>

Correct<br>

<br>

><br>

><br>

> Should private roots get the same trust indication as public trust roots?<br>

><br>

<br>

Yes.<br>

<br>

><br>

><br>

> Public key pinning didn’t even catch this issue as the private root seems to<br>

> be trusted more than the public trust roots are.<br>

<br>

Correct, because public key pinning is not designed to catch such<br>

issues, as it cannot catch such issues.<br>

<br>

<a href="http://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-" target="_blank">http://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-</a><br>

<br>

><br>

><br>

><br>

> Thanks, Bruce.<br>

><br>

_______________________________________________<br>

Public mailing list<br>

<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>

<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>

</blockquote></div>