1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
|
# Copyright 2016 The Chromium Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
version_id: 7
# List of SPKI hashes of certificates that are treated as captive portal
# certificates. See
# components/security_interstitials/content/ssl_error_assistant.proto for the
# full format.
# https://captive-portal.badssl.com leaf.
# This is a test certificate, always keep it at the top.
captive_portal_cert {
sha256_hash: "sha256/fjZPHewEHTrMDX3I1ecEIeoy3WFxHyGplOLv28kIbtI="
}
################################################################################
# The rest of the certificates are case-insensitive sorted by the first line of
# their comments.
# See http://go/chrome-captive-portal-list for instructions to update this list.
# Always On
# Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited,
# CN=COMODO High-Assurance Secure Server CA
# Subject: C=ZA/postalCode=0157, ST=Gauteng,
# L=CENTURION/street=1020 SASBY AVENUE ELDORAIGNE,
# O=Always On Broadband Wireless Solutions, OU=InstantSSL,
# CN=gateway.alwayson.co.za
captive_portal_cert {
sha256_hash: "sha256/m/nBiLhStttu1YmOz7Y3D2u1iB1dV2CbIfFa3R2YW5M="
}
# auth.impulse.com
# https://crt.sh/?q=d92d97e4d17ce28a7c844f58b0d1cda44e604b959cff998435e01777777ce715
captive_portal_cert {
sha256_hash: "sha256/8Iuf4xRbVCmCMQTJn3rxlglIO1IOKoyuSUgmXyfaIKs="
}
# https://crt.sh/?q=AB+DF+09+66+47+46+2D+B6+D1+4F+AC+B8+13+7B+D6+8C+8B+B7+26+A9
captive_portal_cert {
sha256_hash: "sha256/8IHdrS+r6IWzSMcRcD/GA6mBxk1ECX8tGRW0rtGWILE="
}
# beeline.ru
# https://crt.sh/?q=e64aa319a108ce49931ac19bf32f838f8db7427150cf7a781af7d9ff76f75cac
captive_portal_cert {
sha256_hash: "sha256/k/2eeJTznE32mblA/du19wpVDSIReFX44M8wXa2JY30="
}
# BT Wi-fi
# https://crt.sh/?q=9e6bc5f9ecc52460e8edc02c644d1be1cb9f2316f41daf3b616a0b2058294b31
captive_portal_cert {
sha256_hash: "sha256/urWd7jMwR6DJgvWhp6xfRHF5b/cba3iG0ggXtTR6AfM="
}
# controller.access.network
# https://crt.sh/?q=1544e807f17771b98a382b6b7faf2f2faf45eda44f460c4f8054b9eab845b860
captive_portal_cert {
sha256_hash: "sha256/IJPCDSE5tM9H3nuD5m6RU2i9KDdPXVn4qmC/ULlcZzc="
}
# hotelwifi.com
# https://crt.sh/?q=f9dca04c4ac67f346c505c6a9bdc931c5272547dbb512a138c4459a903b023c7
captive_portal_cert {
sha256_hash: "sha256/0Gy8RMdbxHNWR2GQJ62QKDXORYf5JmMmnr1FJFPYpzM="
}
# Innflux
# Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
# OU=http://certs.godaddy.com/repository/,
# CN=Go Daddy Secure Certificate Authority - G2
# Subject: OU=Domain Control Validated, CN=gateway.innflux.com
captive_portal_cert {
sha256_hash: "sha256/8tTICtyaxIQrdbYYDdgZhTN0OpM9kYndvoImtw1Ys5E="
}
# kewiko.mn
# Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
# OU=http://certs.godaddy.com/repository/,
# CN=Go Daddy Secure Certificate Authority - G2
# Subject: OU=Domain Control Validated, CN=wireless.kewiko.mn
captive_portal_cert {
sha256_hash: "sha256/F7HIlsaG0bpJW8CzYekRbtFqLVTTGqwvuwPDqnlLct0="
}
# login.globalsuite.net
# https://crt.sh/?q=ed4119e407aa22f507617226bbf2009fdbca55079a2c2f8eebda84e3173006a6
captive_portal_cert {
sha256_hash: "sha256/zaV2Aw1A742R1+WpXWvL5atsJbGmeSS6dzZOfe6f1Yw="
}
# login.netinary.net
# Issuer: C=US, O=thawte, Inc., CN=thawte SSL CA - G2
# Subject: C=FR, ST=Bouches-du-Rh\xC3\xB4ne, L=MARSEILLE, O=NETINARY,
# OU=Security, CN=login.netinary.net
captive_portal_cert {
sha256_hash: "sha256/UwOkRGMlP0K/mKNJdpQ0sTg2ean9Tje8UTOvFYzt1GE="
}
# mobicare.com.br
# https://crt.sh/?q=bf9a13fc64b18221a6f0360e95ba54714d8ebf70a0291b7ea5f357be30436a7a
captive_portal_cert {
sha256_hash: "sha256/w7KUXE4/BAo1YVZdO3mBsrMpu4IQuN0mhUXUI//agVU="
}
# ombord.info
# https://crt.sh/?q=f849586eedb4c754fc53e4352948d36097ae7fec50abc5f93c08239719c8184a
captive_portal_cert {
sha256_hash: "sha256/JnPvGqEn36FjHQlBXtG1uWwNtdMj1o2ojR/asqyypNk="
}
# Orange France
# Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network,
# CN=Symantec Class 3 Secure Server CA - G4
# Subject: C=FR, ST=Paris, L=Paris, O=Orange, OU=Orange France,
# CN=hautdebitmobile.orange.fr
captive_portal_cert {
sha256_hash: "sha256/AUSXlKDCf1X30WhWeAWbjToABfBkJrKWPL6KwEi5VH0="
}
# virginwifi.io
# Issuer: O=GeoTrust Inc., CN=RapidSSL SHA256 CA - G2, C=US
# Subject: CN=*.virginwifi.io
captive_portal_cert {
sha256_hash: "sha256/zSyVjjFJMIeXK0ktVTIjewwr6U5OePRqyY/nEXTI4P8="
}
# wifipass.org
# https://crt.sh/?q=1cce212718a7cf65ce33acde91b5bc66863d14ae259fbaf841f83bf89748f5fd
captive_portal_cert {
sha256_hash: "sha256/9dcHlrXN2WV/ehbEdMxMZ8IV4qvGejCtNC5r6nfTviM="
}
# wifisignon.shaw.ca
# Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network,
# CN=Symantec Class 3 Secure Server CA - G4
# Subject: C=CA, ST=Alberta, L=Calgary, O=Shaw Cablesystems G.P., OU=TNO,
# CN=wifisignon.shaw.ca
captive_portal_cert {
sha256_hash: "sha256/E+0WZLGSIe5nddlVKZ5fYzaNHHCE3hNqi/OWZD3iKgA="
}
# wifree.voo.be
# Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com,
# CN=DigiCert SHA2 High Assurance Server CA
# Subject: C=BE, ST=Liege, L=Liege, O=Tecteo Group, CN=wifree.voo.be
captive_portal_cert {
sha256_hash: "sha256/QJ/69CTHYPRa0I3UVlwD6N4MtToxpQ1+0izyGnqEHQo="
}
# wireless.wifirst.net
# Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2
# Subject: OU=Domain Control Validated, OU=Gandi Standard SSL,
# CN=wireless.wifirst.net
captive_portal_cert {
sha256_hash: "sha256/LKtpdq9q7F7msGK0w1+b/gKoDHaQcZKTHIf9PTz2u+U="
}
# https://mitm-software.badssl.com leaf.
# This is a test certificate, keep it at the top of the MITM software list.
mitm_software {
name: "BadSSL Antivirus",
issuer_common_name_regex: "BadSSL MITM Software Test"
}
################################################################################
# The rest of the MITM software certificates are sorted alphabetically by name.
mitm_software {
name: "Avast Antivirus",
issuer_common_name_regex: "avast! Web/Mail Shield Root",
issuer_organization_regex: "avast! Web/Mail Shield"
}
mitm_software {
name: "Bitdefender Antivirus",
issuer_common_name_regex: "Bitdefender Personal CA\.Net-Defender",
issuer_organization_regex: "Bitdefender"
}
mitm_software {
name: "Cisco Umbrella",
issuer_common_name_regex: "Cisco Umbrella Root CA",
issuer_organization_regex: "Cisco"
}
mitm_software {
name: "Cisco Umbrella",
issuer_common_name_regex: "Cisco Umbrella Primary SubCA",
issuer_organization_regex: "Cisco"
}
mitm_software {
name: "ContentKeeper",
issuer_common_name_regex: "ContentKeeper Appliance CA \(\d+\)",
issuer_organization_regex: "ContentKeeper Technologies"
}
mitm_software {
name: "Cyberoam Firewall",
issuer_organization_regex: "Cyberoam Certificate Authority"
}
mitm_software {
name: "ForcePoint",
issuer_common_name_regex: "Forcepoint Cloud CA",
issuer_organization_regex: "Forcepoint LLC"
}
mitm_software {
name: "Fortigate",
issuer_common_name_regex: "FortiGate CA",
issuer_organization_regex: "Fortinet"
}
mitm_software {
name: "Fortinet",
issuer_organization_regex: "Fortinet( Ltd\.)?"
}
mitm_software {
name: "Kaspersky Internet Security",
issuer_common_name_regex: "Kaspersky Anti-Virus Personal Root Certificate"
}
mitm_software {
name: "McAfee Web Gateway",
issuer_common_name_regex: "McAfee Web Gateway"
}
mitm_software {
name: "NetSpark",
issuer_common_name_regex: "www\.netspark\.com",
issuer_organization_regex: "NetSpark"
}
mitm_software {
name: "SmoothWall Firewall",
issuer_common_name_regex: "Smoothwall-default-root-certificate-authority"
}
mitm_software {
name: "SonicWall Firewall",
issuer_organization_regex: "HTTPS Management Certificate for SonicWALL"
}
mitm_software {
name: "Sophos",
issuer_common_name_regex: "Sophos SSL CA_[A-Z0-9\-]+",
issuer_organization_regex: "Sophos"
}
mitm_software {
name: "Sophos",
issuer_common_name_regex: "Sophos_CA_[A-Z0-9]+"
}
mitm_software {
name: "Sophos UTM",
issuer_common_name_regex: "sophosutm Proxy CA",
issuer_organization_regex: "sophosutm"
}
mitm_software {
name: "Sophos Web Appliance",
issuer_common_name_regex: "Sophos Web Appliance",
issuer_organization_regex: "Sophos Plc"
}
mitm_software {
name: "Symantec Blue Coat",
issuer_organization_regex: "Blue Coat.*"
}
mitm_software {
name: "Trend Micro InterScan Web Security Suite (IWSS)",
issuer_common_name_regex: "IWSS\.TREND"
}
mitm_software {
name: "Zscaler",
issuer_organization_regex: "Zscaler Inc\."
}
################################################################################
# Dynamic interstitials
# Potentially compromised Mitel keys.
# https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-17-0001
#
# These keys have been blacklisted but some of them are also weak signature
# algorithms so may have already stopped working in Chrome. We trigger the MITM
# interstitial for ERR_CERT_REVOKED and also for
# ERR_CERT_WEAK_SIGNATURE_ALGORITHM when appropriate. (We're not guaranteed to
# receive one error code or the other.)
#
# All fields for these entries should match except |cert_error| and
# |sha256_hash|.
dynamic_interstitial {
cert_error: ERR_CERT_REVOKED,
sha256_hash: "sha256/cH02TnKuUhQx3ZU4l/nEhG1bjDJCmP5T+9StofLRFX8=",
mitm_software_name: "Mitel",
interstitial_type: INTERSTITIAL_PAGE_MITM_SOFTWARE
}
dynamic_interstitial {
cert_error: ERR_CERT_WEAK_SIGNATURE_ALGORITHM,
sha256_hash: "sha256/cH02TnKuUhQx3ZU4l/nEhG1bjDJCmP5T+9StofLRFX8=",
mitm_software_name: "Mitel",
interstitial_type: INTERSTITIAL_PAGE_MITM_SOFTWARE
}
dynamic_interstitial {
cert_error: ERR_CERT_REVOKED,
sha256_hash: "sha256/atuOPgVUYJItFQHLl/lMagLjnI8ndMpAiCW3tYN53BQ=",
mitm_software_name: "Mitel",
interstitial_type: INTERSTITIAL_PAGE_MITM_SOFTWARE
}
dynamic_interstitial {
cert_error: ERR_CERT_REVOKED,
sha256_hash: "sha256/SQtuxr6y1gNHILUUm2spzTVRWYjMFq+FQUiwe5sfihE=",
mitm_software_name: "Mitel",
interstitial_type: INTERSTITIAL_PAGE_MITM_SOFTWARE
}
dynamic_interstitial {
cert_error: ERR_CERT_REVOKED,
sha256_hash: "sha256/71UShHFSMt6S4kbDIzKTYrEySTuxa1ieR3VSC+uHGlY=",
mitm_software_name: "Mitel",
interstitial_type: INTERSTITIAL_PAGE_MITM_SOFTWARE
}
dynamic_interstitial {
cert_error: ERR_CERT_WEAK_SIGNATURE_ALGORITHM,
sha256_hash: "sha256/71UShHFSMt6S4kbDIzKTYrEySTuxa1ieR3VSC+uHGlY=",
mitm_software_name: "Mitel",
interstitial_type: INTERSTITIAL_PAGE_MITM_SOFTWARE
}
# Potentially compromised Sennheiser HeadSetup and Sennheiser HeadSetup Pro
# certs.
# https://nvd.nist.gov/vuln/detail/CVE-2018-17612
dynamic_interstitial {
cert_error: ERR_CERT_REVOKED,
sha256_hash: "sha256/DEPqi83p/DvKFlZkrIIVVn40idU5OgyB4aeRQZkuGVM=",
mitm_software_name: "Sennheiser HeadSetup",
interstitial_type: INTERSTITIAL_PAGE_MITM_SOFTWARE
}
dynamic_interstitial {
cert_error: ERR_CERT_REVOKED,
sha256_hash: "sha256/j1kfeqTcPv6UkMOKRpLJAR7RKPHeWVVpQG13tvofa0w=",
mitm_software_name: "Sennheiser HeadSetup",
interstitial_type: INTERSTITIAL_PAGE_MITM_SOFTWARE
}
|
