Ttgjyuk

What happens if you roll doubles 3 times then land on "Go to jail?"

Class Action - which options I have?

Is it appropriate to ask a job candidate if we can record their interview?

Go Pregnant or Go Home

How to Reset Passwords on Multiple Websites Easily?

How to run a prison with the smallest amount of guards?

Where does the Z80 processor start executing from?

Lay out the Carpet

Proof of work - lottery approach

How does the UK government determine the size of a mandate?

How to pronounce the slash sign

Is a stroke of luck acceptable after a series of unfavorable events?

How can I kill an app using Terminal?

when is out of tune ok?

Valid Badminton Score?

Is there a good way to store credentials outside of a password manager?

Crossing the line between justified force and brutality

A particular customize with green line and letters for subfloat

Short story about space worker geeks who zone out by 'listening' to radiation from stars

Method to test if a number is a perfect power?

Sort a list by elements of another list

Roman Numeral Treatment of Suspensions

Anatomically Correct Strange Women In Ponds Distributing Swords

Is the destination of a commercial flight important for the pilot?

How to check for unofficially installed CA certificates to avoid MITM attacks

Where does Ubuntu store the SSL certificates for Pidgin?How to use certificates for Eduroam?How to manage imported certificates?How to install certificates for command lineDoes snap require particular certificates to be installed?Update-ca-certificates: 0 added; 0 removed - how come?How do you set up SSL certificates for additional ports in Apache?Nginx reverse proxy for Apache: does Apache need SSL certificates?Messed-up with ca-certificates/ How to restore back to defaulthow to revoke x.509 certificates?

0

I was reading this article about how surprisingly common are MitM attacks while using HTTPS. Around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper state:

To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.

[...]

Contrary to widespread belief, public key pinning [19]— an HTTPS feature
that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].

To make the situation more clear:

SSL web browsing is exactly as strong as the weakest CA.

I wan't to make sure my HTTPS connections are secure at least in three aspects:

• Chrome/Chromium


• Firefox


• Ubuntu official repos/Snap

There is any terminal way to make sure I don't have any CA that doesn't come officially from this three main sources?

Some "research"

• 
  checkmyhttps seems old and not trustworthy


• 
  

  Chrome: I'm not sure if chrome://settings/certificates is a subset of what return some of this commands:

  
  
  

  locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in 
  trust list
  certutil -L
  

  
  


• I already sudo update-ca-certificates -v -f but this seems to just update, not remove any sneaky installed certificate.

Reference

• https://www.chromium.org/Home/chromium-security/root-ca-policy

google-chrome security ssl certificates privacy

share|improve this question

edited 2 mins ago

Pablo Bianchi

asked 13 mins ago

Pablo BianchiPablo Bianchi

3,02021536

add a comment | 

0

I was reading this article about how surprisingly common are MitM attacks while using HTTPS. Around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper state:

To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.

[...]

Contrary to widespread belief, public key pinning [19]— an HTTPS feature
that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].

To make the situation more clear:

SSL web browsing is exactly as strong as the weakest CA.

I wan't to make sure my HTTPS connections are secure at least in three aspects:

• Chrome/Chromium


• Firefox


• Ubuntu official repos/Snap

There is any terminal way to make sure I don't have any CA that doesn't come officially from this three main sources?

Some "research"

• 
  checkmyhttps seems old and not trustworthy


• 
  

  Chrome: I'm not sure if chrome://settings/certificates is a subset of what return some of this commands:

  
  
  

  locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in 
  trust list
  certutil -L
  

  
  


• I already sudo update-ca-certificates -v -f but this seems to just update, not remove any sneaky installed certificate.

Reference

• https://www.chromium.org/Home/chromium-security/root-ca-policy

google-chrome security ssl certificates privacy

share|improve this question

edited 2 mins ago

Pablo Bianchi

asked 13 mins ago

Pablo BianchiPablo Bianchi

3,02021536

add a comment | 

I was reading this article about how surprisingly common are MitM attacks while using HTTPS. Around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper state:

To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.

[...]

Contrary to widespread belief, public key pinning [19]— an HTTPS feature
that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].

To make the situation more clear:

SSL web browsing is exactly as strong as the weakest CA.

I wan't to make sure my HTTPS connections are secure at least in three aspects:

• Chrome/Chromium


• Firefox


• Ubuntu official repos/Snap

There is any terminal way to make sure I don't have any CA that doesn't come officially from this three main sources?

Some "research"

• 
  checkmyhttps seems old and not trustworthy


• 
  

  Chrome: I'm not sure if chrome://settings/certificates is a subset of what return some of this commands:

  
  
  

  locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in 
  trust list
  certutil -L
  

  
  


• I already sudo update-ca-certificates -v -f but this seems to just update, not remove any sneaky installed certificate.

Reference

• https://www.chromium.org/Home/chromium-security/root-ca-policy

google-chrome security ssl certificates privacy

share|improve this question

edited 2 mins ago

Pablo Bianchi

asked 13 mins ago

Pablo BianchiPablo Bianchi

3,02021536

share|improve this question

edited 2 mins ago

Pablo Bianchi

asked 13 mins ago

Pablo BianchiPablo Bianchi

3,02021536

share|improve this question

edited 2 mins ago

Pablo Bianchi

asked 13 mins ago

Pablo BianchiPablo Bianchi

3,02021536

asked 13 mins ago

Pablo BianchiPablo Bianchi

3,02021536

asked 13 mins ago

Pablo BianchiPablo Bianchi

3,02021536