You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2015-02-23 15:39:41
- Horowitz
- Member
- Registered: 2015-02-23
- Posts: 1
HPKP broken system-wide?
Visiting https://superfish.tlsfun.de/style.css pins the valid certs for the domain superfish.tlsfun.de incl all sub-domains. So trying to open https://mitm.superfish.tlsfun.de/style.css should end in a browser error. On Win 7 and Ubuntu 14.04 that actually works: Firefox tells me:
Secure Connection Failed
An error occurred during a connection to mitm.superfish.tlsfun.de. The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden. (Error code: mozilla_pkix_error_key_pinning_failure)
• The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
• Please contact the website owners to inform them of this problem.Same for Chrome: NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN
Unfortunately on Arch, Firefox and Chromium/Chrome do load https://mitm.superfish.tlsfun.de/style.css without complaining, i.e. you are not protected against certain MITM attacks. How can this be fixed?
Offline
#2 2015-03-05 14:20:39
- Lone_Wolf
- Forum Moderator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 11,964
Re: HPKP broken system-wide?
Looks like all arch browsers have that problem, check FS #43971
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
Pages: 1