[cabfpub] Lenovo installation of malicious root.

Chris Palmer palmer at google.com
Mon Feb 23 12:37:30 MST 2015


Also, Comodo might want to tell us what is going on here:

http://news.softpedia.com/news/Comodo-s-PrivDog-Breaks-HTTPS-Security-Possibly-Worse-than-Superfish-473968.shtml
On Feb 23, 2015 11:05, "Ryan Sleevi" <sleevi at google.com> wrote:

> On Mon, Feb 23, 2015 at 10:41 AM, Bruce Morton <bruce.morton at entrust.com>
> wrote:
> > Have we just come across an issue with operating systems/browsers and
> > private roots?
> >
>
> Yes
>
> >
> >
> > I suppose an attacker can install proxy software with their private root
> and
> > examine all secured traffic. We don’t need Lenovo to install this
> software,
> > this could easily be done by any corner-store computer shop.
> >
>
> Correct
>
> >
> >
> > Should private roots get the same trust indication as public trust roots?
> >
>
> Yes.
>
> >
> >
> > Public key pinning didn’t even catch this issue as the private root
> seems to
> > be trusted more than the public trust roots are.
>
> Correct, because public key pinning is not designed to catch such
> issues, as it cannot catch such issues.
>
>
> http://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-
>
> >
> >
> >
> > Thanks, Bruce.
> >
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150223/5caea548/attachment.html 


More information about the Public mailing list