How to check for unofficially installed CA certificates to avoid MITM attacksWhere does Ubuntu store the SSL certificates for Pidgin?How to use certificates for Eduroam?How to manage imported certificates?How to install certificates for command lineDoes snap require particular certificates to be installed?Update-ca-certificates: 0 added; 0 removed - how come?How do you set up SSL certificates for additional ports in Apache?Nginx reverse proxy for Apache: does Apache need SSL certificates?Messed-up with ca-certificates/ How to restore back to defaulthow to revoke x.509 certificates?
What happens if you roll doubles 3 times then land on "Go to jail?"
Class Action - which options I have?
Is it appropriate to ask a job candidate if we can record their interview?
Go Pregnant or Go Home
How to Reset Passwords on Multiple Websites Easily?
How to run a prison with the smallest amount of guards?
Where does the Z80 processor start executing from?
Lay out the Carpet
Proof of work - lottery approach
How does the UK government determine the size of a mandate?
How to pronounce the slash sign
Is a stroke of luck acceptable after a series of unfavorable events?
How can I kill an app using Terminal?
when is out of tune ok?
Valid Badminton Score?
Is there a good way to store credentials outside of a password manager?
Crossing the line between justified force and brutality
A particular customize with green line and letters for subfloat
Short story about space worker geeks who zone out by 'listening' to radiation from stars
Method to test if a number is a perfect power?
Sort a list by elements of another list
Roman Numeral Treatment of Suspensions
Anatomically Correct Strange Women In Ponds Distributing Swords
Is the destination of a commercial flight important for the pilot?
How to check for unofficially installed CA certificates to avoid MITM attacks
Where does Ubuntu store the SSL certificates for Pidgin?How to use certificates for Eduroam?How to manage imported certificates?How to install certificates for command lineDoes snap require particular certificates to be installed?Update-ca-certificates: 0 added; 0 removed - how come?How do you set up SSL certificates for additional ports in Apache?Nginx reverse proxy for Apache: does Apache need SSL certificates?Messed-up with ca-certificates/ How to restore back to defaulthow to revoke x.509 certificates?
I was reading this article about how surprisingly common are MitM attacks while using HTTPS. Around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper state:
To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.
[...]
Contrary to widespread belief, public key pinning [19]— an HTTPS feature
that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].
To make the situation more clear:
SSL web browsing is exactly as strong as the weakest CA.
I wan't to make sure my HTTPS connections are secure at least in three aspects:
- Chrome/Chromium
- Firefox
- Ubuntu official repos/Snap
There is any terminal way to make sure I don't have any CA that doesn't come officially from this three main sources?
Some "research"
checkmyhttps seems old and not trustworthyChrome: I'm not sure if
chrome://settings/certificates
is a subset of what return some of this commands:locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in
trust list
certutil -L- I already
sudo update-ca-certificates -v -f
but this seems to just update, not remove any sneaky installed certificate.
Reference
- https://www.chromium.org/Home/chromium-security/root-ca-policy
google-chrome security ssl certificates privacy
add a comment |
I was reading this article about how surprisingly common are MitM attacks while using HTTPS. Around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper state:
To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.
[...]
Contrary to widespread belief, public key pinning [19]— an HTTPS feature
that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].
To make the situation more clear:
SSL web browsing is exactly as strong as the weakest CA.
I wan't to make sure my HTTPS connections are secure at least in three aspects:
- Chrome/Chromium
- Firefox
- Ubuntu official repos/Snap
There is any terminal way to make sure I don't have any CA that doesn't come officially from this three main sources?
Some "research"
checkmyhttps seems old and not trustworthyChrome: I'm not sure if
chrome://settings/certificates
is a subset of what return some of this commands:locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in
trust list
certutil -L- I already
sudo update-ca-certificates -v -f
but this seems to just update, not remove any sneaky installed certificate.
Reference
- https://www.chromium.org/Home/chromium-security/root-ca-policy
google-chrome security ssl certificates privacy
add a comment |
I was reading this article about how surprisingly common are MitM attacks while using HTTPS. Around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper state:
To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.
[...]
Contrary to widespread belief, public key pinning [19]— an HTTPS feature
that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].
To make the situation more clear:
SSL web browsing is exactly as strong as the weakest CA.
I wan't to make sure my HTTPS connections are secure at least in three aspects:
- Chrome/Chromium
- Firefox
- Ubuntu official repos/Snap
There is any terminal way to make sure I don't have any CA that doesn't come officially from this three main sources?
Some "research"
checkmyhttps seems old and not trustworthyChrome: I'm not sure if
chrome://settings/certificates
is a subset of what return some of this commands:locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in
trust list
certutil -L- I already
sudo update-ca-certificates -v -f
but this seems to just update, not remove any sneaky installed certificate.
Reference
- https://www.chromium.org/Home/chromium-security/root-ca-policy
google-chrome security ssl certificates privacy
I was reading this article about how surprisingly common are MitM attacks while using HTTPS. Around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper state:
To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.
[...]
Contrary to widespread belief, public key pinning [19]— an HTTPS feature
that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].
To make the situation more clear:
SSL web browsing is exactly as strong as the weakest CA.
I wan't to make sure my HTTPS connections are secure at least in three aspects:
- Chrome/Chromium
- Firefox
- Ubuntu official repos/Snap
There is any terminal way to make sure I don't have any CA that doesn't come officially from this three main sources?
Some "research"
checkmyhttps seems old and not trustworthyChrome: I'm not sure if
chrome://settings/certificates
is a subset of what return some of this commands:locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in
trust list
certutil -L- I already
sudo update-ca-certificates -v -f
but this seems to just update, not remove any sneaky installed certificate.
Reference
- https://www.chromium.org/Home/chromium-security/root-ca-policy
google-chrome security ssl certificates privacy
google-chrome security ssl certificates privacy
edited 2 mins ago
Pablo Bianchi
asked 13 mins ago
Pablo BianchiPablo Bianchi
3,02021536
3,02021536
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1129300%2fhow-to-check-for-unofficially-installed-ca-certificates-to-avoid-mitm-attacks%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1129300%2fhow-to-check-for-unofficially-installed-ca-certificates-to-avoid-mitm-attacks%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown