Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's pretty common for these devices to require you to install their generated CA cert on every machine in the corporation. Administrators deploy it to the domain with a group policy object IIRC.

Firefox users end up having to install it by hand, or else every website comes up as "you are being attacked by a MITM!!!!", which is technically true.



Sadly this also puts laptop users in the situation that they always need to vpn to the office otherwise sites that use HSTS will break either when on or outside the corporate networks, depending on when you visited the site first.


HSTS allows self signed certs as long as the cert is manually installed to the OS trust store for exactly that reason.


Okay. Does that also hold when only the CA is installed? On my machine both Safari and Chrome prevent loading google and stackoverflow because when accessing them through the corporate proxy I get a certificate which is signed by the corporate inspection gateway ca.


It works for me. Install the resign CA cert as a trusted CA and the page will load just fine.

Click on the padlock in Firefox and hit the right arrow next to the domain and it will even say "Verified by: [your corp]"




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: