Hacker News new | past | comments | ask | show | jobs | submit login

Slightly OT - if the bad guy can't fiddle with the trust store of your computer, whats his another methods of analysing a users traffic? Is https breakable by other means?

They don't really have to force you to install that root cert. Every https connection will be signed with it, so you either trust that cert and can actually view the site (and gov can read it all) or you don't and just get error in your browser.

Everything is breakable, but some things take a really looong time to break. Governments might be able to break some weak https encryption, but not all.

You can inject hooks into the certificate validation routines to make your certificates accepted, hook the actual encrypt/decrypt functions, or make the session establishment routines leak the master secret.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact