Most browsers have more than 100 CA certificates (for example Firefox ~176) and everyone of them can sign certificates for any website.

So if anyone of them is hacked, forced by law or just corrupt a man-in-the-middle attack is possible on any SSL connection.

Even if someone uses their own SSL certificate on their server and adds this to the browser no message would be shown if another officially signed SSL certificate is used for this connection. For example our SUSE admins who have access to the private SUSE CA certificate key can intercept and then decrypt any SSL connection to Google, Dropbox or whatever for all employees who have this certificate installed - if they really wanted to.

This flaw in SSL can be at least partly prevented if certificates are remembered for the website (certificate pinning) so the user gets informed if another one is used. The problem with this is that big companies like Google have hundreds of own certificates which change all the time but at least remembering the CA certificate authority would provide more security.

There is already an addon for Firefox but wasn't updated since 2011 and according to user comments not usable anymore because of the flood of certificates of big companies.

Google also uses pinning in Chrome for their own certificate but I am not sure how the user would get informed.

It would be great to have a simple Chromium/Chrome extension to pin certificates at least manually and maybe CA pinning.

I haven't written any extension for Chromium before and I am not sure if the chromium api allows this at all. So I will see which SSL information is provided by Chrome first.

Looking for mad skills in:

Nothing? Add some keywords!

This project is part of:

Hack Week 12

Comments

  • thardeck
    about 2 years ago by thardeck | Reply

    Getting information about TLS certificates as a Chrome extension doesn't seem to be possible in Chrome: https://code.google.com/p/chromium/issues/detail?id=107793

  • thardeck
    about 2 years ago by thardeck | Reply

    Since this isn't possible I will research a little about potential SSL fixes like http://www.certificate-transparency.org/, DNSSEC and a things like SSL certificate blockchains.