I'm no security expert, but I was under the impression that HSTS pinning would make that hard to do, especially on sites like google.com.
And I can't quite parse your sentence to know if you're implying that all companies do... (or just that I shouldn't be so naive as to assume none are), but I can see the cert chain for google.com in my browser at ${big_company} and it doesn't seem like I'm being MITM'd.
You have conflated two technologies - Strict Transport Security, which is a header that tells the browser to stick to TLS connections only. If your admin has deployed a CA that your browser trusts and uses a cert from that CA to MITM your traffic, they will have no problems doing so ;)
Certificate pinning, on the other hand, allows a client to refuse to connect to a TLS service that fails to prevent the correct certificate. This is generally a win, however it still doesn't give you what you want.
Firefox and Chromium (including Chrome) browsers will only validate certificate pins if the presented certificate is a public trust anchor (in otherwords, the certificates deployed by the operating system). If the certificate chains to a private trust anchor (a certificate installed by your admin), Firefox and Chromium based browsers will smile, wink, and play along.
So, yes, in theory these technologies could protect you, but the vendors that implemented Public Key Pinning opted to support the enterprise use case instead of protecting users.
It relies on HTTPS, which relies on certificates telling the browser that the website is what it claims to be, which relies on a list of trusted root CA certificates installed on your computer, which the company controls. Most companies will install a trusted root CA cert that is themselves onto employee computers (otherwise you'll get SSL errors when accessing internal HTTPS pages since they're not signed with those public root CAs).
My understanding is that, yes, this would be caught by pinning, which is why Chromium disables pinning for "private" root certificates, which is what it considers the ones that your employer has set up on your computer: http://www.chromium.org/Home/chromium-security/security-faq#...
Okay? I'm very familiar with that principle, but I don't understand how to take that statement and apply it to the situation at hand. No one has ever operated this computer except me (though I did enroll the corp wifi certs).
So again, how could I be MITM'd without being aware of it, given HSTS?
Yes, someone could have snuck in a hacked copy of Chrome Canary that exposes phony cert chain information... but that's not what we were talking about, and I don't think most IT departments have the sophistication required to pull that off.
(Note: MITM is just one way companies monitor employees, but by no means the only way. If your company provided your work computer to you, or if they installed anything on your BYOD computer, I would treat everything you do on that computer as cc'ed to your boss by default.)
I mean, that's how I MITM SSL traffic on a daily basis to do development.
None of that speaks to HSTS/Pinning... which is the feature meant to protect against this sort of thing. I'm specifically asking about how a company can bypass HSTS/Pinning without modifying my local browser.
Everything I'm reading indicates that's not possible.
>Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored.
That last sentence is key. From Wikipedia: some browsers "disable pinning for certificate chains with private root certificates to enable various corporate content inspection scanners and web debugging tools. The RFC 7469 standard also recommends disabling pinning violation reports for such certificate chains."
If you add CA certificates for the Wifi they probably (I'm not sure if you can tell it manually to not do that) are added to the system-wide trust store. IE and Chrome check that for CAs, Firefox will soon (https://bugzilla.mozilla.org/show_bug.cgi?id=1265113)
(all this for Windows, I believe the same is true for OS X, Linux depends on your specific your setup)
> If you add CA certificates for the Wifi they probably (I'm not sure if you can tell it manually to not do that) are added to the system-wide trust store.
Internet Properties -> Content -> Certificates -> Advanced
