topic Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal in General Topics

HSTS and HPKP "pinned certs" - breaks decryption and captive portal

Maxstr — Wed, 23 Sep 2015 22:08:20 GMT

I'm seeing many sites recently, like Google and Reddit for example, that are implementing HPKP, which prevents man-in-the-middle decryption like the PA. Currently, Chrome browsers completely ignore the PA certificate on these sites and use the site cert. Firefox just stops with a security message with no proceed or bypass, even when the PA root cert has been imported manually into the browser.

Besides the fact that this breaks PA decryption, my concern is when captive portal "web-form" is enabled, some browsers do not forward to the portal if the first webpage someone browses to has HPKP (like gmail). It just fails to open the site, until the user tries a different site (or a different browser).

The only workaround I have been able to find is to whitelist these sites, but the number keeps growing. Is there a better way to fix the captive portal issue?

Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal

cpainchaud — Wed, 23 Sep 2015 22:29:40 GMT

it should work with Chrome is your CA is deployed in Trust Enterprise store (not the classic & standard public CA store)

Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal

cpainchaud — Wed, 23 Sep 2015 22:31:49 GMT

https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning

Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor).

Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal

Maxstr — Wed, 23 Sep 2015 23:09:17 GMT

@cpainchaud wrote:
https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning

Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor).

Not quite sure what that means. I've added the PA cert into Firefox as both trusted root and in personal store (and whatever the other options are), but it still blocks it.

Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal

cpainchaud — Wed, 23 Sep 2015 23:23:01 GMT

it says 'starting firefox 32' what version do you have and in which store did you install it ?

Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal

cpainchaud — Wed, 23 Sep 2015 23:32:31 GMT

https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#Implementation_status

How to use pinning

Starting with FF 32, it's on by default, so you don't have to do anything. The pinning level is enforced by a pref, security.cert_pinning.enforcement_level

0. Pinning disabled
1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default)
2. Strict. Pinning is always enforced.
3. Enforce test mode.

What mode is enabled in yours ?

Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal

Maxstr — Thu, 24 Sep 2015 11:54:50 GMT

Well, with Chrome, I have the PA cert imported as trusted publisher, root, etc. But, even if Google.com is in the decryption profile, Chrome itself ignores the Palo cert. I go to google.com or YouTube.com and look at the certificate, instead of my cert, it's google's own cert. But all other websites that use SSL do show my cert correctly, so I know it's working. It's only HPKP (or it might just be google's own sites).

As for Firefox, I'm using the latest version on my test machine. While I can easily make any conf changes here, the main issue is that there is no practical way to add certificates to Firefox on an enterprise-scale. It doesn't use GPO, so the cert has to be manually added to each installation. Then it wil work with "normal" websites and I verified that it decrypts. But it will not work with HPKP, unless each Firefox installation is manually changed with that setting you mentioned earlier (which I haven't had a chance to test yet).

Chrome isn't the main issue, because it just overrides the PA cert and allows the user to pass without a warning message. I'm not too concerned about decrypting Google's websites.

Firefox on the other hand, presents a hard security warning and prevents bypassing it.

Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal

cpainchaud — Thu, 24 Sep 2015 16:41:53 GMT

it used to work with previous versions in my lab I am pretty sure with Chrome. Might be a bug on their side as their doc says it should work. May be you could open a bug on chromium project ?

Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal

efairhurst — Thu, 24 Sep 2015 17:51:16 GMT

I just went through this hell last week.

Solution: uninstall Firefox, delete the Mozilla folder under %APPDATA%, reboot, reinstall Firefox, reinstall firewall cert.

You should be good to go.