Android Chrome 99 expands Certificate Transparency, breaking all MitM dev tools

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
man-in-the-middle Troubleshooting CLI Python Reverse Engineering

WorkOS
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • apk-mitm

    🤖 A CLI application that automatically prepares Android APK files for HTTPS inspection

    • > For example, Chrome Desktop, Firefox, and IE did not enforce HPKP if they encountered a cert from a user-added CA. Why does Android do the opposite?

    Your examples are all browsers. I understood that Chrome on Android will continue to support using a user-added CA added to the user store. Android and desktops behave exactly the same for web browsers.

    Non-browser apps are where the differences exist. On Android you must opt-in each app to trust the user store. I'd imagine that the next step is automating https://github.com/shroudedcode/apk-mitm to bulk replace all installed apps with modified apks.

  • mitmproxy

    An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

    • Enforcing CT is good, but that doesn't excuse the treatment of user-added CAs. On all platforms but Android, user-added CAs are considered particularly trustworthy. For example, Chrome Desktop, Firefox, and Edge will not enforce HPKP if they encounter a cert from a user-added CA. Why does Android do the opposite? I don't see the threat model they are addressing.

    We (mitmproxy) have repeatedly tried to get an answer to this from the Android folks (e.g. here: https://github.com/mitmproxy/mitmproxy/issues/2054#issuecomm...). It very much feels like they just want to kill uncomfortable privacy research.

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo

  • chromium

    The official GitHub mirror of the Chromium source

    • I don't think the purpose of CT is to protect against anything on your local computer. It's to protect against CAs getting hacked or coerced by governments into issuing malicious certs.

    CT's design really doesn't make sense if the goal is to protect against local malware. Why would it need public legers and merkel trees containing every issued certificate if it was just to protect against local malware?

    Anyways, local malware isn't in Chrome's threat model:

    https://chromium.googlesource.com/chromium/src/+/master/docs...

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts