You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Chrome does not perform pinning validation when the certificate chain chains up to a private trust anchor, for good reasons:
"We deem this acceptable because the proxy or MITM can only be effective if the client machine has already been configured to trust the proxy’s issuing certificate — that is, the client is already under the control of the person who controls the proxy (e.g. the enterprise’s IT administrator). If the client does not trust the private trust anchor, the proxy’s attempt to mediate the connection will fail as it should."
This is needed to allow corporate proxies, firewalls, etc. to proxy/MiTM the connections. We should add a setting to allow this ie. disabling pinning validation for private CAs.
This can only be implemented on OS X, using SecTrustSettingsCopyCertificates(). On iOS this API is not available and the feature can't be implemented at all.
The text was updated successfully, but these errors were encountered:
Chrome does not perform pinning validation when the certificate chain chains up to a private trust anchor, for good reasons:
"We deem this acceptable because the proxy or MITM can only be effective if the client machine has already been configured to trust the proxy’s issuing certificate — that is, the client is already under the control of the person who controls the proxy (e.g. the enterprise’s IT administrator). If the client does not trust the private trust anchor, the proxy’s attempt to mediate the connection will fail as it should."
This is needed to allow corporate proxies, firewalls, etc. to proxy/MiTM the connections. We should add a setting to allow this ie. disabling pinning validation for private CAs.
This can only be implemented on OS X, using
SecTrustSettingsCopyCertificates()
. On iOS this API is not available and the feature can't be implemented at all.The text was updated successfully, but these errors were encountered: