Hacker News new | comments | ask | show | jobs | submit login

Google and Mozilla should blacklist the certificate once it's made public.

That would make people in the US feel better, but it wouldn't make any difference. If a country can force residents to install software or reconfigure their machines, there's nothing browser vendors can do to make those residents secure. Essentially, Kazakhstan owns (in both senses) the Internet-connected computers of all its residents, and it can do whatever it wants with them.

It's also well within Kazakhstan's budget to do subtler, harder-to-defeat things to stop MITM circumvention. This is an arms race that Google will lose.

Can you name some examples of what they can do? Because other than release some sort of virus, which will be found in a matter of months, I don't think they can infect the entire country.

They can target more specifically than that. Suspected activists get a keylogger bundled in their next windows update. Later on another update removes all traces of it. It might take decades before something like that was noticed.

Windows doesn't use the certificate store for windows updates. Installing a root CA does not allow you to provide windows updates because I believe they hardcode the cert in the updater.

Other non-windows updates do allow you to install other software.

To set this up, Kazakhstan will have to set up their CA with the bit set for software signing. This bit will be visible by everyone and it'll be very telling instead of just being allowed as a root CA for ssl/https sites.

Have you experience with not so nice governments?

Not everything can be changed from the beautiful plains of Silicon Valley.

That would just stop their browsers from working in Kazakhstan on HTTPS sites, who would most likely respond by issuing a new certificate and/or recommending IE. It may also discourage websites from implementing HTTPS.

Not sure how this will work with certificate pinning, though. Will sites like Google become inaccessible?

No, because locally-installed certificates override pins.

Depends on how the app is implemented. Doesn't have to be that way at all, and shouldn't if properly pinned.

Individual applications (not browsers) can of course hardcode pins that aren't overridden. Those applications will simply stop working in Kazakhstan.

Depends on the client implementation. You should expect applications like Twitter for iOS to become inaccessible as it pins the certificate (correctly), i.e. adding the world of (rogue) CA's still wouldn't make the certificate valid. Apart from replacing the (hardcoded properties of the) certificate

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact