Lock certificate for domain

patrik_halfar

Add feature which allow lock specific certificate (server or authority) per domain. This feature disallow domain controlled main-in-the middle when own CA is enforced by domain policy or installed with another application to the system.

Configuration should be list of domains (possibly with wildcards) like
"*.example.com": FINGERPRINT_OF_CERT"

when finger print belongs to CA, then any "correct" certificate signed by this CA should be accepted ie. another CA could not sign certificate for domain
or
if fingerprint belongs to server certificate, then any other certificate should not be accepted (same as invalid certificate)

List should be possible edit manually in settings.
Cert could be lock by button in information about connection security as same as unlock.

This list should be synced.

Usage of this feature will cause service brake out when locked certificate is replaced (eg. due to expire) and will require manually fix by user.

This feature will not have impact to users who are not use it.

becm

@patrik_halfar an equivalent (or even better) feature was already implemented once.
Instead of allowing users more flexibility to set it up, Google ripped out the code out of Chromium.
So not really not much hope to get it back.

patrik_halfar

I disagree with you it is equivalent.

HPKP add new headers in HTTP protocol and make communication more complex
HPKP is deprecated by google and CT Logs still kept third person in process
Public CA affected only

Feature which I described is completely independent on the existing solution and require implementation in client only.

becm

@patrik_halfar manual addition of entries was supported via vivaldi://net-internals/ until the option was removed by the according Chromium update.
HTTP headers are only the most common way of distribution.

The cert (or CA for that matter) is not in the loop for PKP. If the server does not have the matching private key for the requested domain (or the trust period expired), the client will throw an error.
If website operators are not up to the task to renew entries in time, there are deadlocks. This happening regularly unfortunately lead to Google pulling the plug (public reason) without (as you mentioned) an adequate replacement.

The difference in the suggested feature is to use a cert hash with expiration bound to cert lifetime instead of a public key hash with expiration supplied by the user (or server).
Subdomain inclusion is covered in PKP as well.

LonM

Thank you for your request. As this post has had less than 5 votes over 4 years it will now be archived.