Hacker News new | past | comments | ask | show | jobs | submit login

What happens if an agency gets in deep with one of the common trusted authorities shipped with every browser, or is an authority, or just hacked their root keys, or bought access like they did with RSA? It seems like they could man in the middle all day and the only difference would be the cert issuer, which means it would be invisible if used in a limited fashion.



They could definitely do that. They could also mandate the use of "national security certificates".

https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a...


It is still better than situation where everyone would use HTTP and naively believe that authorities will respect their right for privacy.


I'd almost prefer to be on http knowing I was insecure than be on https and wrongly believing I was secure.


Well, I don't really trust random certs even when they're signed by a respected CA -- but I still prefer using HTTPS. Even if the cert is fraudulent, HTTPS is still encrypting stuff and will protect me from other random attackers.

Security is never a binary secure/insecure proposition. There are shades of gray. The key is to use what security you can, but never think "I'm secure now".

As an old mentor once told me: the moment that you think you're secure is the moment that you're at the greatest risk, but you should still lock your door.


They teach that adage in business school too. That when you think you have full control of an organization is when you have the least control.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: