Chrome also preloads HPKP information for many sites.
It's interesting to note that certificates signed by a locally installed CA (e.g. an org's MitM proxy CA) will be considered acceptable. If MCS had just made their own private root CA and deployed it to their machines there wouldn't have been an issue.
They weren't even trying to do that, is the saddest part. They were trying to be a real CA, but they weren't trying to MITM. (It's common practice for new / young CAs to chain their CA cert off a more established CA.)
They just, for some reason, decided that they wanted to store their cert on a Palo Alto Networks device that supported MITMing as a feature, and accidentally turned on MITM mode and plugged someone's laptop into it.
The intended use case of that feature on that device is in fact to hand it a private intermediate, not a publicly-trusted intermediate.
Playing loose and fast with a CA key and installing it on random devices like this speaks volumes about their understanding and respect of the world wide CA system.
> It's interesting to note that certificates signed by a locally installed CA (e.g. an org's MitM proxy CA) will be considered acceptable. If MCS had just made their own private root CA and deployed it to their machines there wouldn't have been an issue.
I believe this is how Microsoft Family Safety works, as far as I know.
Chrome also preloads HPKP information for many sites.
It's interesting to note that certificates signed by a locally installed CA (e.g. an org's MitM proxy CA) will be considered acceptable. If MCS had just made their own private root CA and deployed it to their machines there wouldn't have been an issue.