On Thu, Jul 18, 2019 at 10:00 AM Ryan Sleevi <ryan.sle...@gmail.com> wrote:
> > On Thu, Jul 18, 2019 at 12:50 PM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> Finally, I'll point out that Firefox implements public key pinning via a >> preloaded list of sites, so the reported MITM will fail for those: >> >> https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#Implementation_status > > > Wayne, > > I don't believe this is correct. Locally-installed trust anchors bypass > pinning, as they're indicators of explicit user action (or coercion) to > configure. As a consequence, unless the pinning mode is set to 2. Strict > (which will typically preclude the use of a number of anti-virus products, > for better or worse), which it is not by default, the MITM will not fail. > From the Firefox point-of-view, it's completely transparent whether the > MITM is being done by local security software or a nation-state > Yes, I had just realized that - in the default state, pinning in Firefox will not block this type of MITM. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
