Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Bypass Chromes SSL/certificate blockades' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Bypass Chromes SSL/certificate blockades
Authored by: gboudrea on Jun 13, '14 09:17:46AM

This must be the worst possible hint ever!

"Oh, someone/something down the line between me and some secure website is replacing the site's real SSL certificate with his own. I don't know who or why, but here's how I'll just bypass all the warnings I should receive, and browse in the most insecure way possible. Oh, and hey, you should try it too, if you ever get the same invalid SSL certificate as me, because obviously, making the warning message go away is the right way to fix this issue. Don't try to find the source of the problem..."

*sigh*

Unless you understand how SSL certificates work, you understand why you are receiving these warnings, and can verify that the invalid certificates you're receiving are the right ones, you should never EVER use the --ignore-certificate-errors command-line option. And even then, you should not use it to browse any other websites than the ones you control the SSL certificates of.

Further reading: chromium: Add more security-relevant flags to the bad flags infobar
In particular:
#6 jln@chromium.org
There are indeed a lot of flags that would reduce or annihilate Chrome's security. These flags should not be used by non developers. [...]


[ Reply to This | # ]

Bypass Chromes SSL/certificate blockades
Authored by: leichter on Jun 14, '14 07:05:23AM
I'm with gboudrea on this 100%. This hint describes a way to effectively disable certificate security in Chrome. It's a bad idea to do at all, but beyond that ... it's pretty much guaranteed that you're eventually going to forget you started Chrome with this option and start using it even when you didn't intend to.

There is a better approach, but it requires understanding how SSL and these SSL interceptors work. When you connect to a site using https, it sends you its certificate, which attests that the site really is who it claims to be. Why should you believe that attestation? The certificate is signed by a Certificate Authority (CA). Why do you trust the CA? Your browser or OS comes with a collection of "known, trusted CA's"; if the CA that signed the certificate is not on that list, your browser rejects it. (Think of the certificate as your passport; you can show it to prove you are who you claim. People accept a passport because they are issued by trustworthy governments and are hard to forge. And, yes, just as with certificates and CA's, all of this is "to the degree you are willing to trust".)

CA's sign their own approvals and such - "trusting a CA" means that your browser has an independent copy of that CA's own signing certificate (it knows what that country's passports are supposed to look like). It's those CA certificates that make up the list of "known, trusted CA's".

The way an interceptor works is that it terminates your connection, manufactures a certificate for the site you were trying to go to, acting as a CA (with its own certificate) signs it, and then if your browser accepts it, forwards messages back and forth for you over its own connection to the site you are interested in. Your Chrome, however, will never have heard of the CA the interceptor - what's this country of Transpacifica you claim to be from? - and will reject the certificate.

The reason your coworkers and you don't run into this on employer-provided computers is that your IT organization added the interceptor's CA to the list of trusted CA's before it gave you your work machine. If you want your personal machine to also trust their interceptor, you can do the same. This is a slightly complicated operation and I won't try to go into the details here. For one thing, there's more than one store of such CA's. OSX maintains one that's used by Safari, I think Firefox, and many other tools (like Mail and many third-party products) that use SSL on OSX. Chrome, however, maintains its own store.

---
-- Jerry



[ Reply to This | # ]