Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a setting to not perform pinning validation with custom/private CAs #12

Closed
nabla-c0d3 opened this issue Jun 23, 2015 · 0 comments
Closed

Add a setting to not perform pinning validation with custom/private CAs #12

nabla-c0d3 opened this issue Jun 23, 2015 · 0 comments

Comments

@nabla-c0d3
Copy link
Member

Chrome does not perform pinning validation when the certificate chain chains up to a private trust anchor, for good reasons:
"We deem this acceptable because the proxy or MITM can only be effective if the client machine has already been configured to trust the proxy’s issuing certificate — that is, the client is already under the control of the person who controls the proxy (e.g. the enterprise’s IT administrator). If the client does not trust the private trust anchor, the proxy’s attempt to mediate the connection will fail as it should."

This is needed to allow corporate proxies, firewalls, etc. to proxy/MiTM the connections. We should add a setting to allow this ie. disabling pinning validation for private CAs.

This can only be implemented on OS X, using SecTrustSettingsCopyCertificates(). On iOS this API is not available and the feature can't be implemented at all.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nabla-c0d3