CAs aren't geographically limited. Any CA trusted by your computer is trusted fo... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

mikeash on March 27, 2015 | parent | context | favorite | on: GitHub hit by DDoS attack

CAs aren't geographically limited. Any CA trusted by your computer is trusted for any domain anywhere (with the exception of certificate pinning, which isn't commonly used). That means that a single rogue CA is enough to make HTTPS worthless everywhere.

bbatsell on March 27, 2015 [–]

Mozilla actually has done this (sort of), once. They restricted French agency ANSSI's root CA to only be valid for TLDs ending in .fr, .gp, .gf, .mq, .re, .yt, .pm, .bl, .mf, .wf, .pf, .nc, .tf.

https://wiki.mozilla.org/CA:IncludedCAs

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact