Since Vivaldi support the HTTP Public Key Pinning,does it prevent the fake cert of Redirector.Paco ?



  • There is a news [url=http://thehackernews.com/2016/05/money-hacker.html]http://thehackernews.com/2016/05/money-hacker.html[/url] that the attack uses a forged certificate issued by the free root certificate to fool the browser. Would Vivaldi prohibit this fraud since Vivaldi support the HPKP ?


  • Moderator

    Local by malware or legitime software (virusscanner, debug proxies etc) installed certificates are not pinned in Chrom*, Vivaldi, Opera and Firefox; IE and Edge has no pinning at all.
    If malware installs a proxy you have no trust, that SSL routes really to the server you visit.
    But if some malware was installed you have more problems than unsafe SSL with certs.



  • @Gwen-Dragon:

    Local by malware or legitime software (virusscanner, debug proxies etc) installed certificates are not pinned in Chrom*, Vivaldi, Opera and Firefox; IE and Edge has no pinning at all.
    If malware installs a proxy you have no trust, that SSL routes really to the server you visit.
    But if some malware was installed you have more problems than unsafe SSL with certs.

    The malware installs the proxy to perform a man-in-the-middle attack that response the fake destination certificate to the browser. For instance, you visit the Google or Yahoo to search something, the proxy intercept it and reply a tamped search result. Because both Google and Yahoo adopted the HTTPs connection, the proxy must fake the Google/Yahoo certificate to able to tamp the search result that fool the browser to let browser think it is still HTTPs and the certificate match the site name and pass the certificate chain verification.

    I think the HPKP is a way to prevent this attack to happen. So I ask here to know that if Vivaldi could prevent this to happen ?


  • Moderator

    The browser is not fooled about HTTPS, even with a forged certificate the connection is SSL, but it is fooled about the certificate of the destination domain.

    HPKP on ALL browsers does prevent under some circumstances.
    But not if a local may be forged certificate is stored in users certificate store.
    That is not a problem of Vivaldi, it is in all browsers, and this behavior is allowed and described in the RFC standards for HPKP; see https://tools.ietf.org/html/rfc7469#section-2.6

    Summary: HPKP (in all browsers) can not prevent a local certificate forgery or Man-in-the-middle attack.

    It is more of snakeoil than a security feature. Like a seat belt does not prevent accidents, but most of injuries in accidents.



  • You are right. It's my misunderstanding. Thank you.

    I just did an experiment that hold a temporary fake www.google.com web server and use Firefox to connect it. Then nothing abnormal. I mean it did show my fake www.google.com web page normally without any warnings or like.

    That is while free CA services bring the convenient also bring the bad side effects.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.