Hacker News new | past | comments | ask | show | jobs | submit login

The Federal Government may not like this but this is heading to as it should be. Sometimes the government needs to be saved from itself!



I would say there is a 50/50 chance that the government has access to any http certificates that it needs to crack any https session that they would like to crack. The Patriot Act created secret courts to enable this type of stuff. They're well known to rubber stamp any warrant that comes through.


And it is not unimaginable that the US government can crack the RSA. That would explain why they are not requiring people to use short keys, yet still collect the data worldwide.


Governments can force CAs to give them certs. HTTPS only stops non-government attackers.


They would be killing the CA by doing this, since all certs have to be publicly logged in order to be trusted by Chrome or Safari: https://en.wikipedia.org/wiki/Certificate_Transparency

If a minor CA suddenly issued a cert for, say, mail.google.com, they'd be distrusted by every browser/OS within days. If a government made a habit of doing this, there'd soon be no trusted CAs in their jurisdiction.

The US probably has the best chance of getting away with this since they also have all the major OS/browser vendors in their jurisdiction. But if Mozilla/Apple/Microsoft/Google all mysteriously decided not to distrust a CA that was issuing bogus certs for high-profile sites, it would be pretty conspicuous.


CAs don't have the private keys to the certificates they sign, so this doesn't compromise issued certs.

The ability for CAs to issue extra certs to governments to enable MITM has been reduced a lot by CAA and HPKP.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: