upvote

points

by layer85 hours ago |
comments
upvoteby Galanwe4 hours ago|
[-]
Because there is a quadrillion trusted CAs in every device you might use. A good chunk of these CAs have been compromised at one point or another, and rogue certificates are sold in the dark market. Also any goverment can coerce a domiciled CA to issue certs for their needs.
reply
upvoteby hvb24 hours ago|
parent|
next
[-]
That is a wild claim. I can't imagine that being correct given how that's been abused in the past

https://www.eff.org/deeplinks/2011/08/iranian-man-middle-att...

reply
upvoteby ceejayoz3 hours ago|
parent|
next
[-]
It's a pretty huge list.

https://support.apple.com/en-us/126047

The chances of zero of these CAs having been compromised by state-level actors seems… slim.

Do you trust "Hongkong Post Root CA 3" not to fuck with things?

Your link's from 2011; the US government was still in the trusted list until 2018. https://www.idmanagement.gov/implement/announcements/04_appl...

reply
upvoteby cookiengineer4 hours ago|
parent|
prev|
[-]
> That is a wild claim

China telecom regularly has BGP announcements that conflict with level3's ASNs.

Just as a hint in case you want to dig more into the topic, RIR data is publicly available, so you can verify yourself who the offenders are.

Also check out the Geedge leaked source code, which also implements TLS overrides and inspection on a country scale. A lot of countries are customers of Geedge's tech stack, especially in the Middle East.

Just sayin' it's more common than you're willing to acknowledge.

reply
upvoteby technion2 hours ago|
parent|
prev|
[-]
If you go down this path you argue desktop browsing https is broken, which i dont think is a serious argument.
reply
upvoteby quesera47 minutes ago|
parent|
[-]
No one is trying to go that far down the path.

https (specifically the CA chain of trust) is imperfect, and can be compromised by well-placed parties.

reply