[Privoxy-devel] https inspection vs HPKP
Lee
ler762 at gmail.com
Thu Jul 23 01:36:17 UTC 2020
On 7/22/20, Fabian Keil <fk at fabiankeil.de> wrote:
> Lee <ler762 at gmail.com> wrote:
>
>> Is there a way to tell Firefox to not do certificate pinning if the
>> cert comes from my bogus CA?
>
> According to:
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
> this should happen by default:
>
> | Firefox and Chrome disable pin validation for pinned hosts
> | whose validated certificate chain terminates at a user-defined
> | trust anchor (rather than a built-in trust anchor). This means
> | that for users who imported custom root certificates all pinning
> | violations are ignored.
Right. I shot myself in the foot - I had this bit in my user.js
// security.cert_pinning.enforcement_level
// 0. Pinning disabled
// 1. Allow User MITM (pinning not enforced if the trust anchor is
a user inserted CA, default)
// 2. Strict. Pinning is always enforced.
// 3. Enforce test mode.
user_pref("security.cert_pinning.enforcement_level", 2);
Set it back to a 1 and youtube works again
Lee
More information about the Privoxy-devel
mailing list