6

On https://dev.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters- ,

and https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning in the first yellow box,

it says that Google Chrome and Firefox disable pin validation for hosts (servers) that use a self-signed certificate. The server that I am connecting to uses a self-signed certificate who I trust by adding the self-created authority that signed it as trusted in my google chrome HTTPS/SSL settings. Is there a way I can still verify that the certificate presented to me is really from the server, and not from an attacker who uses a certificate signed by some other trusted authority (a hacked one for example, like in the DigiNotar schandal) ?

peter
  • 95
  • 7
  • Are you sure that your certificate is [self-signed](https://en.wikipedia.org/wiki/Self-signed_certificate)? Did the certificate sign itself, or did you create a self-signed CA certificate that signed the certificate? – Sjoerd May 09 '17 at 14:03
  • @Sjoerd Yes I created my own authority (basically just a public / private key pair that is stored in a .crt and .key file) and then used this authority's private key to sign my server certificate. Subsequently I added the authority .crt file to my trusted authorities in chrome / firefox . – peter May 09 '17 at 14:55

1 Answers1

2

You have two solution:

Tom
  • 2,063
  • 12
  • 19
  • 1
    Thank you. Unfortunately, the certificate patrol does not work for me as I am using socket.io to connect to the server (so I don't type in the server's IP address in the browser). I tested with certificate patrol, and it does not give pop ups if I change the server certificate. – peter May 09 '17 at 14:57