[cabfpub] Lenovo installation of malicious root.
Ryan Sleevi
sleevi at google.com
Mon Feb 23 19:05:25 UTC 2015
On Mon, Feb 23, 2015 at 10:41 AM, Bruce Morton <bruce.morton at entrust.com> wrote:
> Have we just come across an issue with operating systems/browsers and
> private roots?
>
Yes
>
>
> I suppose an attacker can install proxy software with their private root and
> examine all secured traffic. We don’t need Lenovo to install this software,
> this could easily be done by any corner-store computer shop.
>
Correct
>
>
> Should private roots get the same trust indication as public trust roots?
>
Yes.
>
>
> Public key pinning didn’t even catch this issue as the private root seems to
> be trusted more than the public trust roots are.
Correct, because public key pinning is not designed to catch such
issues, as it cannot catch such issues.
http://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-
>
>
>
> Thanks, Bruce.
>
More information about the Public
mailing list