[cabfpub] Lenovo installation of malicious root.

Ryan Sleevi sleevi at google.com
Mon Feb 23 19:05:25 UTC 2015


On Mon, Feb 23, 2015 at 10:41 AM, Bruce Morton <bruce.morton at entrust.com> wrote:
> Have we just come across an issue with operating systems/browsers and
> private roots?
>

Yes

>
>
> I suppose an attacker can install proxy software with their private root and
> examine all secured traffic. We don’t need Lenovo to install this software,
> this could easily be done by any corner-store computer shop.
>

Correct

>
>
> Should private roots get the same trust indication as public trust roots?
>

Yes.

>
>
> Public key pinning didn’t even catch this issue as the private root seems to
> be trusted more than the public trust roots are.

Correct, because public key pinning is not designed to catch such
issues, as it cannot catch such issues.

http://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-

>
>
>
> Thanks, Bruce.
>



More information about the Public mailing list