Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-23-2015 02:40 PM - edited 09-23-2015 03:08 PM
I'm seeing many sites recently, like Google and Reddit for example, that are implementing HPKP, which prevents man-in-the-middle decryption like the PA. Currently, Chrome browsers completely ignore the PA certificate on these sites and use the site cert. Firefox just stops with a security message with no proceed or bypass, even when the PA root cert has been imported manually into the browser.
Besides the fact that this breaks PA decryption, my concern is when captive portal "web-form" is enabled, some browsers do not forward to the portal if the first webpage someone browses to has HPKP (like gmail). It just fails to open the site, until the user tries a different site (or a different browser).
The only workaround I have been able to find is to whitelist these sites, but the number keeps growing. Is there a better way to fix the captive portal issue?
09-23-2015 03:29 PM
it should work with Chrome is your CA is deployed in Trust Enterprise store (not the classic & standard public CA store)
09-23-2015 03:31 PM
https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor).
09-23-2015 04:09 PM
@cpainchaud wrote:https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor).
Not quite sure what that means. I've added the PA cert into Firefox as both trusted root and in personal store (and whatever the other options are), but it still blocks it.
09-23-2015 04:23 PM
it says 'starting firefox 32' what version do you have and in which store did you install it ?
09-23-2015 04:32 PM
https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#Implementation_status
How to use pinning
Starting with FF 32, it's on by default, so you don't have to do anything. The pinning level is enforced by a pref, security.cert_pinning.enforcement_level
What mode is enabled in yours ?
09-24-2015 04:52 AM - edited 09-24-2015 04:54 AM
Well, with Chrome, I have the PA cert imported as trusted publisher, root, etc. But, even if Google.com is in the decryption profile, Chrome itself ignores the Palo cert. I go to google.com or YouTube.com and look at the certificate, instead of my cert, it's google's own cert. But all other websites that use SSL do show my cert correctly, so I know it's working. It's only HPKP (or it might just be google's own sites).
As for Firefox, I'm using the latest version on my test machine. While I can easily make any conf changes here, the main issue is that there is no practical way to add certificates to Firefox on an enterprise-scale. It doesn't use GPO, so the cert has to be manually added to each installation. Then it wil work with "normal" websites and I verified that it decrypts. But it will not work with HPKP, unless each Firefox installation is manually changed with that setting you mentioned earlier (which I haven't had a chance to test yet).
Chrome isn't the main issue, because it just overrides the PA cert and allows the user to pass without a warning message. I'm not too concerned about decrypting Google's websites.
Firefox on the other hand, presents a hard security warning and prevents bypassing it.
09-24-2015 09:41 AM
it used to work with previous versions in my lab I am pretty sure with Chrome. Might be a bug on their side as their doc says it should work. May be you could open a bug on chromium project ?
09-24-2015 10:51 AM
I just went through this hell last week.
Solution: uninstall Firefox, delete the Mozilla folder under %APPDATA%, reboot, reinstall Firefox, reinstall firewall cert.
You should be good to go.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
