How to check for unofficially installed CA certificates to avoid MITM attacksWhere does Ubuntu store the SSL...
Gears on left are inverse to gears on right?
How long to clear the 'suck zone' of a turbofan after start is initiated?
Different result between scanning in Epson's "color negative film" mode and scanning in positive -> invert curve in post?
Is exact Kanji stroke length important?
Anatomically Correct Strange Women In Ponds Distributing Swords
India just shot down a satellite from the ground. At what altitude range is the resulting debris field?
What is the intuitive meaning of having a linear relationship between the logs of two variables?
Sequence of Tenses: Translating the subjunctive
Short story about space worker geeks who zone out by 'listening' to radiation from stars
Return the Closest Prime Number
Why, precisely, is argon used in neutrino experiments?
Trouble understanding the speech of overseas colleagues
Why escape if the_content isnt?
Where does the Z80 processor start executing from?
Do sorcerers' Subtle Spells require a skill check to be unseen?
How to write papers efficiently when English isn't my first language?
Would this custom Sorcerer variant that can only learn any verbal-component-only spell be unbalanced?
How do scammers retract money, while you can’t?
What is the best translation for "slot" in the context of multiplayer video games?
How does it work when somebody invests in my business?
Is expanding the research of a group into machine learning as a PhD student risky?
Term for the "extreme-extension" version of a straw man fallacy?
How does the UK government determine the size of a mandate?
Escape a backup date in a file name
How to check for unofficially installed CA certificates to avoid MITM attacks
Where does Ubuntu store the SSL certificates for Pidgin?How to use certificates for Eduroam?How to manage imported certificates?How to install certificates for command lineDoes snap require particular certificates to be installed?Update-ca-certificates: 0 added; 0 removed - how come?How do you set up SSL certificates for additional ports in Apache?Nginx reverse proxy for Apache: does Apache need SSL certificates?Messed-up with ca-certificates/ How to restore back to defaulthow to revoke x.509 certificates?
I was reading this article about how surprisingly common are MitM attacks while using HTTPS. Around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper state:
To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.
[...]
Contrary to widespread belief, public key pinning [19]— an HTTPS feature
that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].
To make the situation more clear:
SSL web browsing is exactly as strong as the weakest CA.
I wan't to make sure my HTTPS connections are secure at least in three aspects:
- Chrome/Chromium
- Firefox
- Ubuntu official repos/Snap
There is any terminal way to make sure I don't have any CA that doesn't come officially from this three main sources?
Some "research"
checkmyhttps seems old and not trustworthy
Chrome: I'm not sure if
chrome://settings/certificatesis a subset of what return some of this commands:
locate .pem | grep ".pem$" | xargs -I{} openssl x509 -issuer -enddate -noout -in {}
trust list
certutil -L
- I already
sudo update-ca-certificates -v -fbut this seems to just update, not remove any sneaky installed certificate.
Reference
- https://www.chromium.org/Home/chromium-security/root-ca-policy
google-chrome security ssl certificates privacy
asked 10 mins ago
Pablo BianchiPablo Bianchi
3,02021536
add a comment |
I was reading this article about how surprisingly common are MitM attacks while using HTTPS. Around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper state:
To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.
[...]
Contrary to widespread belief, public key pinning [19]— an HTTPS feature
that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].
To make the situation more clear:
SSL web browsing is exactly as strong as the weakest CA.
I wan't to make sure my HTTPS connections are secure at least in three aspects:
- Chrome/Chromium
- Firefox
- Ubuntu official repos/Snap
There is any terminal way to make sure I don't have any CA that doesn't come officially from this three main sources?
Some "research"
checkmyhttps seems old and not trustworthy
Chrome: I'm not sure if
chrome://settings/certificatesis a subset of what return some of this commands:
locate .pem | grep ".pem$" | xargs -I{} openssl x509 -issuer -enddate -noout -in {}
trust list
certutil -L
- I already
sudo update-ca-certificates -v -fbut this seems to just update, not remove any sneaky installed certificate.
Reference
- https://www.chromium.org/Home/chromium-security/root-ca-policy
google-chrome security ssl certificates privacy
asked 10 mins ago
Pablo BianchiPablo Bianchi
3,02021536
add a comment |
I was reading this article about how surprisingly common are MitM attacks while using HTTPS. Around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper state:
To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.
[...]
Contrary to widespread belief, public key pinning [19]— an HTTPS feature
that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].
To make the situation more clear:
SSL web browsing is exactly as strong as the weakest CA.
I wan't to make sure my HTTPS connections are secure at least in three aspects:
- Chrome/Chromium
- Firefox
- Ubuntu official repos/Snap
There is any terminal way to make sure I don't have any CA that doesn't come officially from this three main sources?
Some "research"
checkmyhttps seems old and not trustworthy
Chrome: I'm not sure if
chrome://settings/certificatesis a subset of what return some of this commands:
locate .pem | grep ".pem$" | xargs -I{} openssl x509 -issuer -enddate -noout -in {}
trust list
certutil -L
- I already
sudo update-ca-certificates -v -fbut this seems to just update, not remove any sneaky installed certificate.
Reference
- https://www.chromium.org/Home/chromium-security/root-ca-policy
google-chrome security ssl certificates privacy
asked 10 mins ago
Pablo BianchiPablo Bianchi
3,02021536
I was reading this article about how surprisingly common are MitM attacks while using HTTPS. Around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper state:
To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.
[...]
Contrary to widespread belief, public key pinning [19]— an HTTPS feature
that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].
To make the situation more clear:
SSL web browsing is exactly as strong as the weakest CA.
I wan't to make sure my HTTPS connections are secure at least in three aspects:
- Chrome/Chromium
- Firefox
- Ubuntu official repos/Snap
There is any terminal way to make sure I don't have any CA that doesn't come officially from this three main sources?
Some "research"
checkmyhttps seems old and not trustworthy
Chrome: I'm not sure if
chrome://settings/certificatesis a subset of what return some of this commands:
locate .pem | grep ".pem$" | xargs -I{} openssl x509 -issuer -enddate -noout -in {}
trust list
certutil -L
- I already
sudo update-ca-certificates -v -fbut this seems to just update, not remove any sneaky installed certificate.
Reference
- https://www.chromium.org/Home/chromium-security/root-ca-policy
google-chrome security ssl certificates privacy
google-chrome security ssl certificates privacy
asked 10 mins ago
Pablo BianchiPablo Bianchi
3,02021536
asked 10 mins ago
Pablo BianchiPablo Bianchi
3,02021536
edited 5 secs ago
Pablo Bianchi
asked 10 mins ago
Pablo BianchiPablo Bianchi
3,02021536
asked 10 mins ago
Pablo BianchiPablo Bianchi
3,02021536
asked 10 mins ago
Pablo BianchiPablo Bianchi
3,02021536
3,02021536
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1129300%2fhow-to-check-for-unofficially-installed-ca-certificates-to-avoid-mitm-attacks%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1129300%2fhow-to-check-for-unofficially-installed-ca-certificates-to-avoid-mitm-attacks%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
