Hacker News new | past | comments | ask | show | jobs | submit login

SSL is designed so that only the server with the private key for a specific certificate can complete the handshake correctly for that certificate, and the certificate is tied to the domain name.

The ISP can MITM the handshake and return a different certificate, but unless a certificate authority supported by your browser is complicit, they can't get that certificate signed for the domain you're trying to visit, and the browser will complain.




I would expect that if the US government is requiring this, they'd also be able to get at least a few US based certificate authorities to play along.


If they did, we'd get versions of Firefox and Chromium at least with the US certificate authorities root certs yanked out within a day, and companies scrambling to replace their SSL certs with certs that'd still be trusted by users.

Unless they made it illegal to, I'm sure we'd see all the major browsers work to deprecate those certificate authorities pretty quickly - not doing so would make SSL useless.


I'm sure we'd see all the major browsers work to deprecate those certificate authorities pretty quickly

What about the recent Comodo breaches? Their certs are still trusted by all major browsers (as far as I'm aware).

I realise they weren't complicit in issuing the fraudulent certs, but the effect is the same.


Assuming that they bothered mentioning it.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: