Hacker News new | past | comments | ask | show | jobs | submit login

They just have to hijack one existing CA that's within their jurisdiction and force it to issue MITM certs. Key pinning or certificate transparency may mitigate this.

Or the MITM box could use some kind of HTTP downgrade attack and not worry about certificates at all.




That would "burn" the CA (it will be removed and/or blacklisted from every major browser and operating system once it's exposed, and exposing it gets much easier with the recent push towards certificate transparency), so it can only be done once per CA.


After first try all german CAs may get removed so probably once ever


Just wait a few years. I'm sure we will get something to support this on the EU level. It'll be positioned as fighting for your freedom and every company that doesn't implement them is the worst.


I would hope that any CA they try to force this on sues them, as that leaking would surely destroy their business.


If the 'certificate transparency' initiative takes off, this could be easily detected.

https://transparencyreport.google.com/https/certificates


Certificate transparency would not work against targeted MITM attack




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: