Hacker News new | past | comments | ask | show | jobs | submit login

bitcoin.org does not implement HPKP. Any government that controls a CA can generate its own cert for bitcoin.org, hijack the site's IP and replace this page with their own fingerprint.

And China has a root CA under their control. I'm on my iPad at the moment so I can't provide the fingerprints of it right now, but I remember "un-trusting it" on all of my machines a long while back.

And the US, host of malicious entities like the CIA and NSA, has several root CA's under their control.

Yes, of course. There's something like, what, around 400 root CAs, I think?

I mentioned the .cn government (and their root CA(s)) because the article mentioned the .cn government, specifically, and the parent comment mentioned "any government that controls a CA".

Obviously, any government with a) control over a root CA and b) control over their entire country's Internet access could carry this out. The article we're commenting, however, called out .cn by name.

I believe there are two of them: "CNNIC Root" and "China Internet Network Information Center EV Certificates Root".

As does anyone with enough money to purchase a certificate authority or crack a certificate authorities servers.

Btw, if China is not to be trusted, wouldn't the proper way to do this be to remove the chinese root CA from your browsers etc?

Yes, that's exactly what I did. I removed the "CNNIC" root certificate authority after some previous mishap (I want to say they issued certs for google.com, et al., but I may be thinking of a different incident).

They could, but that's likely to get noticed and burn a CA. Any user can just save the cert presented and it's ironclad evidence.

Maybe for targeted attacks against individuals.

1. HPKP is too easy to mess up

2. If they use chrome, certificate transparency will log these

Unfortunately chinese people don't really use Chrome.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact