Using HSTS to Force Install of CA Root Certificate to Client Computers

Provided by: Sebbe
Topic: Networking
Format: PDF
In this paper, the authors identify and describe how to solve the problem HSTS and HPKP causes in corporate settings, public hotspots and other settings where a so called SSL intercepting proxy is used to monitor the content of HTTPS traffic, and in case of a violation, block the page from being viewed, without causing HSTS and HPKP violations. Setting up a captive portal is a proposed solution to regulate access to the network in question. It has been tested with pfSense, but can be used with almost any captive portal manufacturer. The advantage is that there's no way to proceed and access to the network without having to install the CA root certificate. There's no way for the user to acquire a valid token to gain access to the network, if the CA certificate is not installed.

Find By Topic