Hacker News new | past | comments | ask | show | jobs | submit login

Governments can force CAs to give them certs. HTTPS only stops non-government attackers.



They would be killing the CA by doing this, since all certs have to be publicly logged in order to be trusted by Chrome or Safari: https://en.wikipedia.org/wiki/Certificate_Transparency

If a minor CA suddenly issued a cert for, say, mail.google.com, they'd be distrusted by every browser/OS within days. If a government made a habit of doing this, there'd soon be no trusted CAs in their jurisdiction.

The US probably has the best chance of getting away with this since they also have all the major OS/browser vendors in their jurisdiction. But if Mozilla/Apple/Microsoft/Google all mysteriously decided not to distrust a CA that was issuing bogus certs for high-profile sites, it would be pretty conspicuous.


CAs don't have the private keys to the certificates they sign, so this doesn't compromise issued certs.

The ability for CAs to issue extra certs to governments to enable MITM has been reduced a lot by CAA and HPKP.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: