How to check for unofficially installed CA certificates to avoid MITM attacksWhere does Ubuntu store the SSL certificates for Pidgin?How to use certificates for Eduroam?How to manage imported certificates?How to install certificates for command lineDoes snap require particular certificates to be installed?Update-ca-certificates: 0 added; 0 removed - how come?How do you set up SSL certificates for additional ports in Apache?Nginx reverse proxy for Apache: does Apache need SSL certificates?Messed-up with ca-certificates/ How to restore back to defaulthow to revoke x.509 certificates?

What happens if you roll doubles 3 times then land on "Go to jail?"

Class Action - which options I have?

Is it appropriate to ask a job candidate if we can record their interview?

Go Pregnant or Go Home

How to Reset Passwords on Multiple Websites Easily?

How to run a prison with the smallest amount of guards?

Where does the Z80 processor start executing from?

Lay out the Carpet

Proof of work - lottery approach

How does the UK government determine the size of a mandate?

How to pronounce the slash sign

Is a stroke of luck acceptable after a series of unfavorable events?

How can I kill an app using Terminal?

when is out of tune ok?

Valid Badminton Score?

Is there a good way to store credentials outside of a password manager?

Crossing the line between justified force and brutality

A particular customize with green line and letters for subfloat

Short story about space worker geeks who zone out by 'listening' to radiation from stars

Method to test if a number is a perfect power?

Sort a list by elements of another list

Roman Numeral Treatment of Suspensions

Anatomically Correct Strange Women In Ponds Distributing Swords

Is the destination of a commercial flight important for the pilot?



How to check for unofficially installed CA certificates to avoid MITM attacks


Where does Ubuntu store the SSL certificates for Pidgin?How to use certificates for Eduroam?How to manage imported certificates?How to install certificates for command lineDoes snap require particular certificates to be installed?Update-ca-certificates: 0 added; 0 removed - how come?How do you set up SSL certificates for additional ports in Apache?Nginx reverse proxy for Apache: does Apache need SSL certificates?Messed-up with ca-certificates/ How to restore back to defaulthow to revoke x.509 certificates?













0















I was reading this article about how surprisingly common are MitM attacks while using HTTPS. Around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper state:




To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.

[...]

Contrary to widespread belief, public key pinning [19]— an HTTPS feature
that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].




To make the situation more clear:




SSL web browsing is exactly as strong as the weakest CA.




I wan't to make sure my HTTPS connections are secure at least in three aspects:



  • Chrome/Chromium

  • Firefox

  • Ubuntu official repos/Snap

There is any terminal way to make sure I don't have any CA that doesn't come officially from this three main sources?



Some "research"




  • checkmyhttps seems old and not trustworthy


  • Chrome: I'm not sure if chrome://settings/certificates is a subset of what return some of this commands:



    locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in 
    trust list
    certutil -L


  • I already sudo update-ca-certificates -v -f but this seems to just update, not remove any sneaky installed certificate.

Reference



  • https://www.chromium.org/Home/chromium-security/root-ca-policy









share|improve this question




























    0















    I was reading this article about how surprisingly common are MitM attacks while using HTTPS. Around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper state:




    To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.

    [...]

    Contrary to widespread belief, public key pinning [19]— an HTTPS feature
    that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].




    To make the situation more clear:




    SSL web browsing is exactly as strong as the weakest CA.




    I wan't to make sure my HTTPS connections are secure at least in three aspects:



    • Chrome/Chromium

    • Firefox

    • Ubuntu official repos/Snap

    There is any terminal way to make sure I don't have any CA that doesn't come officially from this three main sources?



    Some "research"




    • checkmyhttps seems old and not trustworthy


    • Chrome: I'm not sure if chrome://settings/certificates is a subset of what return some of this commands:



      locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in 
      trust list
      certutil -L


    • I already sudo update-ca-certificates -v -f but this seems to just update, not remove any sneaky installed certificate.

    Reference



    • https://www.chromium.org/Home/chromium-security/root-ca-policy









    share|improve this question


























      0












      0








      0








      I was reading this article about how surprisingly common are MitM attacks while using HTTPS. Around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper state:




      To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.

      [...]

      Contrary to widespread belief, public key pinning [19]— an HTTPS feature
      that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].




      To make the situation more clear:




      SSL web browsing is exactly as strong as the weakest CA.




      I wan't to make sure my HTTPS connections are secure at least in three aspects:



      • Chrome/Chromium

      • Firefox

      • Ubuntu official repos/Snap

      There is any terminal way to make sure I don't have any CA that doesn't come officially from this three main sources?



      Some "research"




      • checkmyhttps seems old and not trustworthy


      • Chrome: I'm not sure if chrome://settings/certificates is a subset of what return some of this commands:



        locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in 
        trust list
        certutil -L


      • I already sudo update-ca-certificates -v -f but this seems to just update, not remove any sneaky installed certificate.

      Reference



      • https://www.chromium.org/Home/chromium-security/root-ca-policy









      share|improve this question
















      I was reading this article about how surprisingly common are MitM attacks while using HTTPS. Around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper state:




      To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.

      [...]

      Contrary to widespread belief, public key pinning [19]— an HTTPS feature
      that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].




      To make the situation more clear:




      SSL web browsing is exactly as strong as the weakest CA.




      I wan't to make sure my HTTPS connections are secure at least in three aspects:



      • Chrome/Chromium

      • Firefox

      • Ubuntu official repos/Snap

      There is any terminal way to make sure I don't have any CA that doesn't come officially from this three main sources?



      Some "research"




      • checkmyhttps seems old and not trustworthy


      • Chrome: I'm not sure if chrome://settings/certificates is a subset of what return some of this commands:



        locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in 
        trust list
        certutil -L


      • I already sudo update-ca-certificates -v -f but this seems to just update, not remove any sneaky installed certificate.

      Reference



      • https://www.chromium.org/Home/chromium-security/root-ca-policy






      google-chrome security ssl certificates privacy






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 2 mins ago







      Pablo Bianchi

















      asked 13 mins ago









      Pablo BianchiPablo Bianchi

      3,02021536




      3,02021536




















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "89"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1129300%2fhow-to-check-for-unofficially-installed-ca-certificates-to-avoid-mitm-attacks%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Ask Ubuntu!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1129300%2fhow-to-check-for-unofficially-installed-ca-certificates-to-avoid-mitm-attacks%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Möglingen Índice Localización Historia Demografía Referencias Enlaces externos Menú de navegación48°53′18″N 9°07′45″E / 48.888333333333, 9.129166666666748°53′18″N 9°07′45″E / 48.888333333333, 9.1291666666667Sitio web oficial Mapa de Möglingen«Gemeinden in Deutschland nach Fläche, Bevölkerung und Postleitzahl am 30.09.2016»Möglingen

          Virtualbox - Configuration error: Querying “UUID” failed (VERR_CFGM_VALUE_NOT_FOUND)“VERR_SUPLIB_WORLD_WRITABLE” error when trying to installing OS in virtualboxVirtual Box Kernel errorFailed to open a seesion for the virtual machineFailed to open a session for the virtual machineUbuntu 14.04 LTS Virtualbox errorcan't use VM VirtualBoxusing virtualboxI can't run Linux-64 Bit on VirtualBoxUnable to insert the virtual optical disk (VBoxguestaddition) in virtual machine for ubuntu server in win 10VirtuaBox in Ubuntu 18.04 Issues with Win10.ISO Installation

          Torre de la Isleta Índice Véase también Referencias Bibliografía Enlaces externos Menú de navegación38°25′58″N 0°23′02″O / 38.43277778, -0.3838888938°25′58″N 0°23′02″O / 38.43277778, -0.38388889Torre de la Illeta de l’Horta o Torre Saleta. Base de datos de bienes inmuebles. Patrimonio Cultural. Secretaría de Estado de CulturaFicha BIC Torre de la Illeta de l’Horta. Dirección General de Patrimonio Cultural. Generalitat ValencianaLugares de interés. Ayuntamiento del CampelloTorre de la Isleta en CastillosNet.org