[squid-users] SSL-bump and Public Key Piinning (HPKP)

Jason Haar Jason_Haar at trimble.com
Sun Jul 5 23:34:30 UTC 2015


On 6/07/15 2:01 am, Walter H. wrote:
> reply_header_access Public-Key-Pins deny all
>
> but this doesn't really work; is there another way?
If you think you can override all pinning options, then I'm afraid 
you're mistaken. Well written security apps should do their darndest to 
stop TLS intercept from working: eg hardwiring the CA cert into the 
application itself and barfing if it ever starts a HTTPS connection that 
isn't signed by their "one" CA

You have to accept that and configure for it: simply create a 
"noSSLintercept" acl and in there place the ones that can't be fiddled 
with. I'm still only testing TLS intercept myself, but so far I've only 
whitelisted the following

.preyproject.com
accounts.google.com
.push.hello.firefox.com

BTW, even though Chrome/Firefox support key pinning, as a general rule 
they actually support TLS intercept as well - in that if they detect the 
CA involved in a cert-chain is trusted by the *user* and is not a 
"commercial" CA, then they assume TLS Intercept must be involved and 
allow it to work (at least that's how it seems to work to me). Not a bad 
idea as it allows companies to do TLS intercept, but still guards 
against governments forcing commercial CAs to create "fake" server certs 
(let's be honest - all of this is about stopping government snooping - 
not about normal criminal behavior)

Jason


More information about the squid-users mailing list