Hacker News new | past | comments | ask | show | jobs | submit login

Probably, yes. But considering that CNNIC, a root CA from China, is issuing unauthorized certificates [0], I cannot help to connect these two events together. I won't be surprised that Chinese government is using unauthorized certificates to initiate MITM attack specifically targeting TLS traffics. If that is the case, there will be really bad days for the whole Internet.

0. http://googleonlinesecurity.blogspot.com/2015/03/maintaining...




Well, that sucks. That effectively makes HTTPS worthless there doesn't it?

Also on the other link I have seen another relevant article [0] on how BitTorrent could be used for attacks from China.

Scary stuff.

[0] http://furbo.org/2015/01/22/fear-china/


CAs aren't geographically limited. Any CA trusted by your computer is trusted for any domain anywhere (with the exception of certificate pinning, which isn't commonly used). That means that a single rogue CA is enough to make HTTPS worthless everywhere.


Mozilla actually has done this (sort of), once. They restricted French agency ANSSI's root CA to only be valid for TLDs ending in .fr, .gp, .gf, .mq, .re, .yt, .pm, .bl, .mf, .wf, .pf, .nc, .tf.

https://wiki.mozilla.org/CA:IncludedCAs


They could also strip the https and serve everything over http through the firewall. The fact that the firewall exists is accepted in China so I don't see why they couldn't pull that off too.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: