Hacker News new | comments | show | ask | jobs | submit login

How would the ISP know what pages you went to over HTTPS? Only the domain name would be available, through SNI/DNS.



They could just MITM all connections and say 'for compatibility reasons, please install this root certificate'.

With a fee, this requirement could then be waived.

Dystopian but technically possible.


This type of hypothetical drives me batty, and I was tempted to be snarky. I'm not sure how to respond to the idea that there will ever be a time your ISP requires root cert installation for service, but I will be finding a way to launch a WISP of my own at that point.


It's only slightly hypothetical.

http://www.csoonline.com/article/2865806/cloud-security/gogo...

Gogo didn't require installing a root cert, but they DID issue forged certificates to MitM connections to *.google.com (and others).

Also, remember "Superfish"? Their root cert was pre-installed by Lenovo.


My original was already snark. Though I don't think its impossible that a small amount of non-technical people might actually be convinced to do this.


Just the domain names is already a lot of information...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: