Hacker News new | past | comments | ask | show | jobs | submit login

They should just put a red dot on the browser bar somewhere indicating a non-normal root cert is being used (this would also help in dev / test scenarios).

This is actually the subject of some debate, believe it or not, there is a good argument against it.

Here is the crux of the issue, many TLS middleware providers install their own root certificate for network monitoring, data loss prevention, security scanning and so on. I personally would like them to stop doing that or at least make it obvious to end users it's happening. However, in order to modify the root store, they must have been authorized to do so by the Administrator, and it's their network or hardware.

If we try to make it obvious to users that this inspection is happening, these providers will switch to using alternative methods, such as using Microsoft Detours - which would be even worse, now you have random vendors patching security critical code in such a way that is not discoverable for end-users. This cannot be prevented, because they must already have Administrator access or they wouldn't have been able to modify the root certificate store in the first place.

In this Kazakhstan scenario, imagine if adding the government certificate put a red dot that said "You are being monitored". If the government didn't like that, they could instead require you to install monitor.exe that had the exact same effect, but didn't show the dot by patching and hooking all the crypto APIs. I find this argument against adding an obvious indicator quite compelling.

In this case though, it seems like the government has no problem with telling people they're being monitored. The fact that they're willing to tell people to install a TLS certificate is indicative of that.

I think companies in the US are legally required to provide similar disclosure when monitoring their employees, so I don't see why they'd have a problem with a persistent indicator like that.

In this case though, it seems like the government has no problem with telling people they're being monitored

Not at all. They spin it as providing security:

"Due to frequent cases of theft of personal and credential data, as well as money from bank accounts of Kazakhstan, a security certificate was introduced that will become an effective tool for protecting the country’s information space from hackers, Internet fraudsters and other types of cyber threats.


What is a security certificate?

A security certificate is an electronic certificate that allows to protect Internet users from content that is prohibited by the laws of the Republic of Kazakhstan, as well as from malicious and potentially dangerous content. The security certificate is intended to provide subscribers of cellular communication in Kazakhstan with Internet access in the most secure manner."

(source: https://www.kcell.kz/ru/product/3585/658 -- but this text seems to be coming from government, since it's quoted by all providers).

I'm curious how many people would realise that installing a root certificate implies the government wants to spy on their traffic.

It's going to be a lot fewer than the people who'd be able to understand they'd need to do X to keep the internet working.

This is a silly argument. You might as well say that Firefox should include an option to silently submit all your keystrokes to a designated endpoint, because after all if you have access to set that option you have access to install a keylogger.

So what if they could, in theory, work around the indicator by asking users to install some dubious live-patching executable? Firstly, the users wouldn't have to do so - the enforcement mechanism here is ultimately the MITM itself, so as long as the users just installed the certificate they could continue to access sites (they would have to make the certificate available separately, for installation on iOS / Android / ChromeOS etc). Secondly, the security implications of live-patching the executable are mostly irrelevant, because the only people installing this have already lost the security game. Thirdly, there is a benefit in making the bastards work for it - keeping that live-patcher up-to-date and working against a range of target executable versions is going to be bitter work.

Companies will typically want their employees to know they are being monitored for legal reasons (as well as deterrence), so it seems like they'd have no reason to want to hide this?

Maybe clicking on the red dot could show a page with company policy.

Something like this is in FF 68. Not a red dot, but an indication when you click the padlock.


That would help people who already know what a root cert is, but it's well known that most people ignore any indicator in a URL bar. Even "smart people" ignore them. Do you actually check the lock status of every site you visit?

Most browsers have made the lack of a "lock" quite evident to end users.

If they look and care. The comment you replied to asserts that most people don't. I certainly don't.

If HN didn't have the lock in the url bar (no https), it would have zero impact on my behavior. I had to look just now to even know if there was one.

The goal is to make it evident when there isn't one.

Well, Chrome does make it evident. That wasn't my point. My point, and the point of the comment above, is that it doesn't matter to almost anyone.

If HN still wasn't using https, we'd still be here. Virtually nobody really cares day to day.

So? It matters to those who care about their communication not being spied on / silently modified by third parties. That set isn't empty.

This would be fantastic.

Also, it would be great if there were a "red dot" style warning when you manually click "Proceed anyway" while viewing a https page with an invalid certificate (currently, the browser remembers the "Proceed anyway" decision and accepts the invalid cert after the initial acceptance of the warning)

There's the big red X over the HTTPS icon in the address bar in Chrome and I'm pretty sure there's something similar done to the padlock icon in Firefox, no?

Oops, you're absolutely right.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact