# Copyright 2016 The Chromium Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
version_id: 7
# List of SPKI hashes of certificates that are treated as captive portal
# certificates. See chrome/browser/ssl/ssl_error_assistant.proto for the full
# format.
# https://captive-portal.badssl.com leaf.
# This is a test certificate, always keep it at the top.
captive_portal_cert {
sha256_hash: "sha256/fjZPHewEHTrMDX3I1ecEIeoy3WFxHyGplOLv28kIbtI="
}
################################################################################
# The rest of the certificates are case-insensitive sorted by the first line of
# their comments.
# See http://go/chrome-captive-portal-list for instructions to update this list.
# Always On
# Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited,
# CN=COMODO High-Assurance Secure Server CA
# Subject: C=ZA/postalCode=0157, ST=Gauteng,
# L=CENTURION/street=1020 SASBY AVENUE ELDORAIGNE,
# O=Always On Broadband Wireless Solutions, OU=InstantSSL,
# CN=gateway.alwayson.co.za
captive_portal_cert {
sha256_hash: "sha256/m/nBiLhStttu1YmOz7Y3D2u1iB1dV2CbIfFa3R2YW5M="
}
# auth.impulse.com
# https://crt.sh/?q=d92d97e4d17ce28a7c844f58b0d1cda44e604b959cff998435e01777777ce715
captive_portal_cert {
sha256_hash: "sha256/8Iuf4xRbVCmCMQTJn3rxlglIO1IOKoyuSUgmXyfaIKs="
}
# https://crt.sh/?q=AB+DF+09+66+47+46+2D+B6+D1+4F+AC+B8+13+7B+D6+8C+8B+B7+26+A9
captive_portal_cert {
sha256_hash: "sha256/8IHdrS+r6IWzSMcRcD/GA6mBxk1ECX8tGRW0rtGWILE="
}
# beeline.ru
# https://crt.sh/?q=e64aa319a108ce49931ac19bf32f838f8db7427150cf7a781af7d9ff76f75cac
captive_portal_cert {
sha256_hash: "sha256/k/2eeJTznE32mblA/du19wpVDSIReFX44M8wXa2JY30="
}
# BT Wi-fi
# https://crt.sh/?q=9e6bc5f9ecc52460e8edc02c644d1be1cb9f2316f41daf3b616a0b2058294b31
captive_portal_cert {
sha256_hash: "sha256/urWd7jMwR6DJgvWhp6xfRHF5b/cba3iG0ggXtTR6AfM="
}
# controller.access.network
# https://crt.sh/?q=1544e807f17771b98a382b6b7faf2f2faf45eda44f460c4f8054b9eab845b860
captive_portal_cert {
sha256_hash: "sha256/IJPCDSE5tM9H3nuD5m6RU2i9KDdPXVn4qmC/ULlcZzc="
}
# hotelwifi.com
# https://crt.sh/?q=f9dca04c4ac67f346c505c6a9bdc931c5272547dbb512a138c4459a903b023c7
captive_portal_cert {
sha256_hash: "sha256/0Gy8RMdbxHNWR2GQJ62QKDXORYf5JmMmnr1FJFPYpzM="
}
# Innflux
# Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
# OU=http://certs.godaddy.com/repository/,
# CN=Go Daddy Secure Certificate Authority - G2
# Subject: OU=Domain Control Validated, CN=gateway.innflux.com
captive_portal_cert {
sha256_hash: "sha256/8tTICtyaxIQrdbYYDdgZhTN0OpM9kYndvoImtw1Ys5E="
}
# kewiko.mn
# Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
# OU=http://certs.godaddy.com/repository/,
# CN=Go Daddy Secure Certificate Authority - G2
# Subject: OU=Domain Control Validated, CN=wireless.kewiko.mn
captive_portal_cert {
sha256_hash: "sha256/F7HIlsaG0bpJW8CzYekRbtFqLVTTGqwvuwPDqnlLct0="
}
# login.globalsuite.net
# https://crt.sh/?q=ed4119e407aa22f507617226bbf2009fdbca55079a2c2f8eebda84e3173006a6
captive_portal_cert {
sha256_hash: "sha256/zaV2Aw1A742R1+WpXWvL5atsJbGmeSS6dzZOfe6f1Yw="
}
# login.netinary.net
# Issuer: C=US, O=thawte, Inc., CN=thawte SSL CA - G2
# Subject: C=FR, ST=Bouches-du-Rh\xC3\xB4ne, L=MARSEILLE, O=NETINARY,
# OU=Security, CN=login.netinary.net
captive_portal_cert {
sha256_hash: "sha256/UwOkRGMlP0K/mKNJdpQ0sTg2ean9Tje8UTOvFYzt1GE="
}
# mobicare.com.br
# https://crt.sh/?q=bf9a13fc64b18221a6f0360e95ba54714d8ebf70a0291b7ea5f357be30436a7a
captive_portal_cert {
sha256_hash: "sha256/w7KUXE4/BAo1YVZdO3mBsrMpu4IQuN0mhUXUI//agVU="
}
# ombord.info
# https://crt.sh/?q=f849586eedb4c754fc53e4352948d36097ae7fec50abc5f93c08239719c8184a
captive_portal_cert {
sha256_hash: "sha256/JnPvGqEn36FjHQlBXtG1uWwNtdMj1o2ojR/asqyypNk="
}
# Orange France
# Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network,
# CN=Symantec Class 3 Secure Server CA - G4
# Subject: C=FR, ST=Paris, L=Paris, O=Orange, OU=Orange France,
# CN=hautdebitmobile.orange.fr
captive_portal_cert {
sha256_hash: "sha256/AUSXlKDCf1X30WhWeAWbjToABfBkJrKWPL6KwEi5VH0="
}
# virginwifi.io
# Issuer: O=GeoTrust Inc., CN=RapidSSL SHA256 CA - G2, C=US
# Subject: CN=*.virginwifi.io
captive_portal_cert {
sha256_hash: "sha256/zSyVjjFJMIeXK0ktVTIjewwr6U5OePRqyY/nEXTI4P8="
}
# wifipass.org
# https://crt.sh/?q=1cce212718a7cf65ce33acde91b5bc66863d14ae259fbaf841f83bf89748f5fd
captive_portal_cert {
sha256_hash: "sha256/9dcHlrXN2WV/ehbEdMxMZ8IV4qvGejCtNC5r6nfTviM="
}
# wifisignon.shaw.ca
# Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network,
# CN=Symantec Class 3 Secure Server CA - G4
# Subject: C=CA, ST=Alberta, L=Calgary, O=Shaw Cablesystems G.P., OU=TNO,
# CN=wifisignon.shaw.ca
captive_portal_cert {
sha256_hash: "sha256/E+0WZLGSIe5nddlVKZ5fYzaNHHCE3hNqi/OWZD3iKgA="
}
# wifree.voo.be
# Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com,
# CN=DigiCert SHA2 High Assurance Server CA
# Subject: C=BE, ST=Liege, L=Liege, O=Tecteo Group, CN=wifree.voo.be
captive_portal_cert {
sha256_hash: "sha256/QJ/69CTHYPRa0I3UVlwD6N4MtToxpQ1+0izyGnqEHQo="
}
# wireless.wifirst.net
# Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2
# Subject: OU=Domain Control Validated, OU=Gandi Standard SSL,
# CN=wireless.wifirst.net
captive_portal_cert {
sha256_hash: "sha256/LKtpdq9q7F7msGK0w1+b/gKoDHaQcZKTHIf9PTz2u+U="
}
# https://mitm-software.badssl.com leaf.
# This is a test certificate, keep it at the top of the MITM software list.
mitm_software {
name: "BadSSL Antivirus",
issuer_common_name_regex: "BadSSL MITM Software Test"
}
################################################################################
# The rest of the MITM software certificates are sorted alphabetically by name.
mitm_software {
name: "Avast Antivirus",
issuer_common_name_regex: "avast! Web/Mail Shield Root",
issuer_organization_regex: "avast! Web/Mail Shield"
}
mitm_software {
name: "Bitdefender Antivirus",
issuer_common_name_regex: "Bitdefender Personal CA\.Net-Defender",
issuer_organization_regex: "Bitdefender"
}
mitm_software {
name: "Cisco Umbrella",
issuer_common_name_regex: "Cisco Umbrella Root CA",
issuer_organization_regex: "Cisco"
}
mitm_software {
name: "Cisco Umbrella",
issuer_common_name_regex: "Cisco Umbrella Primary SubCA",
issuer_organization_regex: "Cisco"
}
mitm_software {
name: "ContentKeeper",
issuer_common_name_regex: "ContentKeeper Appliance CA \(\d+\)",
issuer_organization_regex: "ContentKeeper Technologies"
}
mitm_software {
name: "Cyberoam Firewall",
issuer_organization_regex: "Cyberoam Certificate Authority"
}
mitm_software {
name: "ForcePoint",
issuer_common_name_regex: "Forcepoint Cloud CA",
issuer_organization_regex: "Forcepoint LLC"
}
mitm_software {
name: "Fortigate",
issuer_common_name_regex: "FortiGate CA",
issuer_organization_regex: "Fortinet"
}
mitm_software {
name: "Fortinet",
issuer_organization_regex: "Fortinet( Ltd\.)?"
}
mitm_software {
name: "Kaspersky Internet Security",
issuer_common_name_regex: "Kaspersky Anti-Virus Personal Root Certificate"
}
mitm_software {
name: "McAfee Web Gateway",
issuer_common_name_regex: "McAfee Web Gateway"
}
mitm_software {
name: "NetSpark",
issuer_common_name_regex: "www\.netspark\.com",
issuer_organization_regex: "NetSpark"
}
mitm_software {
name: "SmoothWall Firewall",
issuer_common_name_regex: "Smoothwall-default-root-certificate-authority"
}
mitm_software {
name: "SonicWall Firewall",
issuer_organization_regex: "HTTPS Management Certificate for SonicWALL"
}
mitm_software {
name: "Sophos",
issuer_common_name_regex: "Sophos SSL CA_[A-Z0-9\-]+",
issuer_organization_regex: "Sophos"
}
mitm_software {
name: "Sophos",
issuer_common_name_regex: "Sophos_CA_[A-Z0-9]+"
}
mitm_software {
name: "Sophos UTM",
issuer_common_name_regex: "sophosutm Proxy CA",
issuer_organization_regex: "sophosutm"
}
mitm_software {
name: "Sophos Web Appliance",
issuer_common_name_regex: "Sophos Web Appliance",
issuer_organization_regex: "Sophos Plc"
}
mitm_software {
name: "Symantec Blue Coat",
issuer_organization_regex: "Blue Coat.*"
}
mitm_software {
name: "Trend Micro InterScan Web Security Suite (IWSS)",
issuer_common_name_regex: "IWSS\.TREND"
}
mitm_software {
name: "Zscaler",
issuer_organization_regex: "Zscaler Inc\."
}
################################################################################
# Dynamic interstitials
# Potentially compromised Mitel keys.
# https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-17-0001
#
# These keys have been blacklisted but some of them are also weak signature
# algorithms so may have already stopped working in Chrome. We trigger the MITM
# interstitial for ERR_CERT_REVOKED and also for
# ERR_CERT_WEAK_SIGNATURE_ALGORITHM when appropriate. (We're not guaranteed to
# receive one error code or the other.)
#
# All fields for these entries should match except |cert_error| and
# |sha256_hash|.
dynamic_interstitial {
cert_error: ERR_CERT_REVOKED,
sha256_hash: "sha256/cH02TnKuUhQx3ZU4l/nEhG1bjDJCmP5T+9StofLRFX8=",
mitm_software_name: "Mitel",
interstitial_type: INTERSTITIAL_PAGE_MITM_SOFTWARE
}
dynamic_interstitial {
cert_error: ERR_CERT_WEAK_SIGNATURE_ALGORITHM,
sha256_hash: "sha256/cH02TnKuUhQx3ZU4l/nEhG1bjDJCmP5T+9StofLRFX8=",
mitm_software_name: "Mitel",
interstitial_type: INTERSTITIAL_PAGE_MITM_SOFTWARE
}
dynamic_interstitial {
cert_error: ERR_CERT_REVOKED,
sha256_hash: "sha256/atuOPgVUYJItFQHLl/lMagLjnI8ndMpAiCW3tYN53BQ=",
mitm_software_name: "Mitel",
interstitial_type: INTERSTITIAL_PAGE_MITM_SOFTWARE
}
dynamic_interstitial {
cert_error: ERR_CERT_REVOKED,
sha256_hash: "sha256/SQtuxr6y1gNHILUUm2spzTVRWYjMFq+FQUiwe5sfihE=",
mitm_software_name: "Mitel",
interstitial_type: INTERSTITIAL_PAGE_MITM_SOFTWARE
}
dynamic_interstitial {
cert_error: ERR_CERT_REVOKED,
sha256_hash: "sha256/71UShHFSMt6S4kbDIzKTYrEySTuxa1ieR3VSC+uHGlY=",
mitm_software_name: "Mitel",
interstitial_type: INTERSTITIAL_PAGE_MITM_SOFTWARE
}
dynamic_interstitial {
cert_error: ERR_CERT_WEAK_SIGNATURE_ALGORITHM,
sha256_hash: "sha256/71UShHFSMt6S4kbDIzKTYrEySTuxa1ieR3VSC+uHGlY=",
mitm_software_name: "Mitel",
interstitial_type: INTERSTITIAL_PAGE_MITM_SOFTWARE
}
# Potentially compromised Sennheiser HeadSetup and Sennheiser HeadSetup Pro
# certs.
# https://nvd.nist.gov/vuln/detail/CVE-2018-17612
dynamic_interstitial {
cert_error: ERR_CERT_REVOKED,
sha256_hash: "sha256/DEPqi83p/DvKFlZkrIIVVn40idU5OgyB4aeRQZkuGVM=",
mitm_software_name: "Sennheiser HeadSetup",
interstitial_type: INTERSTITIAL_PAGE_MITM_SOFTWARE
}
dynamic_interstitial {
cert_error: ERR_CERT_REVOKED,
sha256_hash: "sha256/j1kfeqTcPv6UkMOKRpLJAR7RKPHeWVVpQG13tvofa0w=",
mitm_software_name: "Sennheiser HeadSetup",
interstitial_type: INTERSTITIAL_PAGE_MITM_SOFTWARE
}
Codebase Browser
chromium