This article expose how around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper states:
To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.
[...]
Contrary to widespread belief, public key pinning [19]— an HTTPS feature that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].
Is pretty common on companies, desktop antivirus and malware/adware to add a root CA. Sometimes even with honest reasons. But to make the situation more clear: SSL web browsing is exactly as strong as the weakest CA (this includes DNS, if DNS-over-HTTPS).
I want to check if my HTTPS traffic is intercepted at least in three aspects (better if just with CLI):
- Google Chrome/Chromium
- Firefox (Red Hat equivalent?)
- Ubuntu official repos/Snap (See ca-certificates & ca-cacert. Red Hat equivalent?)
So the real questions are:
- How to list unofficially installed CA certificates (doesn't come with Ubuntu/Firefox/Chrome) to avoid MITM attacks/HTTPS interception?
- How to reset trusted certificates stores to its default?
Some research and related questions
checkmyhttps seems old and not trustworthy
Chrome:
chrome://settings/certificates.
This is a subset of what return some of these commands?# System wide (I) awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt # System wide (II) (`p11-kit` package) trust list-
certutil -L -d ~/.mozilla/firefox/*.default*/ I already
sudo update-ca-certificates -v -f. This just updates without removing any sneaky already installed certificate?
