undefined | Better HN

0 pointsm-j-fox9y ago0 comments

> pretty standard fare for a corporate firewall/proxy

It is? So corporations install something that infects your laptop and updates the root certificate every time Chrome or Firefox updates? Sounds extreme to me. Something the NSA might be able to do, but hopefully not my company.

0 comments

4 comments · 2 top-level

mjcl9y ago· 2 in thread

If you're running Windows, it's built into the OS using Group Policy. Very helpful when a company is running it's own internal CA/PKI.

m-j-foxOP9y ago

Wow Windows. You've outdone yourself. Can I assume Linux and Mac are safe?

mi100hael9y ago

Nope, you can install additional certificate authorities in the system keychain on Mac, which Safari and Chrome both use. Commonly done on managed installs.

https://www.jamf.com/jamf-nation/discussions/11830/deploying...

Other applications on mac/linux that use their own keystore like OpenSSL or Java will throw cert errors if you don't also install the CA in their keystores, but that could be scripted as well if it causes too much friction for users.

If you're in such an environment, the options are either install the CA or don't use anything that requires HTTPS ¯\_(ツ)_/¯

dboreham9y ago

It is and they do. You'll find many historical threads here discussing cases where interested parties were actively campaigning to thwart anti-MITM measures being added to TLS, because they broke their MITM attacks that their businesses depend on.

j / k navigate · click thread line to collapse