1

I'm using chrome in an environment that is employing transparent TLS inspect. There is a private CA that issues the certificates and is available in the trusted authorities store. When I visit mail.google.com I don't receive a warning. I would expect to receive a warning since the certificate issuer does not match the static pinset (https://github.com/chromium/chromium/blob/master/net/http/transport_security_state_static.json).

Why can I connect to google.com without a warning (e.g. pinset failure)? This is concerning to me as there is multitude of CA, any of which can potentially issue a certificate for, say, google.com.

Does certificate transparency remedy this issue?

Improve this question

1 Answer 1

Reset to default
1

Why can I connect to google.com without a warning (e.g. pinset failure)?

Because browsers ignore pinning if the CA is one explicitly added as trusted, i.e. not one from the default CA store but still trusted. This is done to work together with trusted SSL interception, as done not only in corporate environments but which is also employed by various local antivirus products.

Does certificate transparency remedy this issue?

No. See also How effective is Expect-CT against content inspection in an enterprise context?

Improve this answer
1
  • Firefox has a setting to restore the behavior: security.cert_pinning.enforcement_level=2 But doesn't seem to be an option under chrome
    – Tom
    Commented Mar 11, 2021 at 23:04

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .