Mailinglist Archive: opensuse (1355 mails)

< Previous Next >
Re: [opensuse] Re: opensuse mailing list site ridiculousness (TLS on Repositories)
On 06/17/2018 09:52 AM, Lew Wolfgang wrote:
BTW, I think it's possible to detect enterprise-level MITM decryption,
but don't know the details.  I vaguely remember something about
certificate pinning.  Any thoughts?  I haven't googled this yet...


Yes, pinning throws a wrench in the man in the middle SSL attacks by
causing a browser to trust only the legitimate certificate for a
timeframe, even if a trusted CA also presents a certificate for that
site. In some cases it may be permanent, for example since Google ships
Chrome they can also tell Chrome that only a specific CA will issue
certificates for google.com, and certs issued by another CA will remain
untrusted.

Also, you can always tell if something is going on by looking at the
certificate chain itself in your browser. Unless your company is going
so far as to set up CAs with legitimate but faked names, they are not
going to match the actual certificate chain.


--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >