Hacker News new | comments | show | ask | jobs | submit login

How does that change how HTTPS works?



It doesn't, but the ISP still know what pages you went to.

If they want to determine your political leanings your browsing history is enough.


How would the ISP know what pages you went to over HTTPS? Only the domain name would be available, through SNI/DNS.


They could just MITM all connections and say 'for compatibility reasons, please install this root certificate'.

With a fee, this requirement could then be waived.

Dystopian but technically possible.


This type of hypothetical drives me batty, and I was tempted to be snarky. I'm not sure how to respond to the idea that there will ever be a time your ISP requires root cert installation for service, but I will be finding a way to launch a WISP of my own at that point.


It's only slightly hypothetical.

http://www.csoonline.com/article/2865806/cloud-security/gogo...

Gogo didn't require installing a root cert, but they DID issue forged certificates to MitM connections to *.google.com (and others).

Also, remember "Superfish"? Their root cert was pre-installed by Lenovo.


My original was already snark. Though I don't think its impossible that a small amount of non-technical people might actually be convinced to do this.


Just the domain names is already a lot of information...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: