Hacker News new | past | comments | ask | show | jobs | submit login

Not only that but they can happily MITM HTTPS as well. Not all the HTTPS sites use certificate pinning or HSTS.

It's a tough problem because certificate pinning kills a lot of legitimate use patterns; it's not something I'd like to see being the default everywhere.

Yes but this is how many companies protect their HTTPS traffic (including one financial institution I work for).

What root cert would they us for that?

The government of my country has at least one certificate that's trusted by Mozilla (and I guess Chrome and Windows too) by default.

It won't stay trusted if it is actively used for MITM attacks. At least that's the idea.

You mean CA? There are many options depending on which agency and which target you are talking about. They have few options from stealing a CA from a legitimate CA user if the want anonymity or use one that is built in to your browsers or systems somebody else already pointed out in the thread.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact