Is it possible that Firefox and Chrome disable pin validation for users who imported custom root certificates all pinning violations are ignored. What is impact of that? Will browser report any warning?
1 Answer
can HPKP certificate pinning disable DPI inspection on firewall?
No, HPKP has not automatic affect on the firewall and how it does DPI.
Is it possible that Firefox and Chrome disable pin validation for users who imported custom root certificates all pinning violations are ignored.
That's not only possible but this is actually the case. Pinning will be disabled if the certificate is signed by a CA which was explicitly imported as trusted. This is explicitly done to make legal SSL interception as done in firewalls but also desktop antivirus products possible.
What is impact of that? Will browser report any warning?
The impact of this is that SSL interception is possible even if certificate pinning is used. Browsers will not show any warning. Users can detect interception by looking at the certificate details. And, they will see that sites which usually have EV certificates (i.e. green URL bar) will not have an EV certificate any longer. Apart from that no difference can be seen.
SSL interception of course have various impacts. Most of these are not specific to HPKP so I will not discuss these here. But there is one impact specific to HPKP: most SSL interception solutions will not check if the pinning information in the HPKP header match the certificate they just got and they will also not save HPKP information like the browser does and check if they get the expected certificate later. This means that the HPKP is essentially ignored in case of SSL interception, both by the SSL interception product and by the browser behind it.
answered Sep 28, 2017 at 6:24
