Hacker News new | past | comments | ask | show | jobs | submit login

Except I look at the linked mailing list and you already get "us techies" arguing "uh yeah but uhm this isn't so different from the corporate CA intercept thing right so let's not blacklist it uhm".

What the fuck.

There's a broader reason. If the normal browsers break this, the response will just be that they do their own national fork of an open-source browser and distribute that to their people.

The downside of pushing them to that is that that browser will be unlikely to get regular security updates and will likely hide the interception.

Actually, I don't see the issue here. It is literally the same thing as corps intercepting the connections of their employees or visitors. In fact I trust my employer even less than I trust the government.

But I disagree with the response that says we should do nothing. In fact, corporate root certs should be blocked / ignored by the browser in the exact same way and for the exact same reason. The only exception should be certs issued for a limited number of domains that are only active in a specific developer mode that can be enabled by knowledgeable users.

Sure, technological solutions can't solve this issue 100%. (My employer can also fork a browser.) But acting as if everything is OK when the connection is being MITMed is wrong and browsers shouldn't do it.

> corporate root certs should be blocked / ignored by the browser in the exact same way and for the exact same reason ... technological solutions can't solve this issue 100%

Technological solutions can't solve this at all if the entire stack is controlled by the interested party.

In the case of government snooping, you (theoretically) own the end device being used for access. In the case of corporate snooping, you're using corporate owned and managed devices. There is absolutely no technological solution that exists that will prevent another person from building software for (or selling to) corporations who need to snoop on their employees. Considering the selling price of appliances that perform these services (e.g. Bluecoat's range), the cost of a browser is negligible in comparison.

I don't think it's fair to conflate a lack of privacy on corporate owned devices with a lack of privacy on your own personal devices.

"So do we make our flagship product useless for the entire country or not?" - The real question

Yes? This isn't that complicated. You break it, and when competitive browser X refuses to do so, you sell the idea that browser X is compromised for all users everywhere (not just in Kazakhstan)

Stop thinking about the country with literally less than 1% of world internet users and start thinking of the reputational damage a less than charitable presentation of your collaboration with a totalitarian state against your users would do to the other 99%+ of your market.

Apple is openly collaborating with Chinese regime, including allowing the government to snoop on all Chinese traffic, yet they still have a high reputation for privacy. This just doesn't work, people don't give a shit about other countries.

That's fair, but the country doing this will just fork an open-source browser and make it their official browser.

Sure. "don't use Kazakhfox, it's malware, we've submitted definitions to the AV databases" isn't a hard sell for your 99%+ audience.

Malware forks of open source projects (and closed-source software!) are not a new problem.

Except they are a new problem when the use of them is mandated by a nation-state.

Which is bad news for the ~15m internet users in Kazakhstan. For the ~4000m internet users not in Kazakhstan & generally immune to their rubber hose attack, protecting them from being one BGP fuckup away from being MITMed by a hostile foreign power is much more important.

Totally separate problem that I agree needs to be fixed.

In reality, being one BGP trick away from a mere dedicated individual or corporate owning certs for your domain is an actual risk today.

Are you willing to intentionally break your software (which is currently working) for an entire country?

If you want to put a stop to things like this, then you have to. Complaints from companies and the general population should be enough to fix the issue.

Mere collateral damage.

Is it better to be complicit with an authoritarian regime that is actively spying on their people, in order to have a marginally larger user base? I don't think so.

In fact, you're making it worse because you're giving legitimacy to a government that is conducting actions which we shouldn't consider acceptable. If the US government started doing the same thing, I would really hope that browsers would block those certificates too.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact