Hacker News new | past | comments | ask | show | jobs | submit login

What makes everyone so sure this isn't happening everywhere already?

The problem Kazakhstan had was that there was no existing CA they could already force to issue certs. So they had to make a new one. It would be foolish to assume that none of the many trust anchors your browser already trusts haven't already been compelled by your local government to do exactly this.

Also, DANE and DNSSEC solves this problem.




Certificate Transparency would make it blatantly obvious if any existing CA were being compelled by governments to issue fraudulent certs.

DANE is, unfortunately, not viable to implement in browsers right now for a variety of reasons: https://www.imperialviolet.org/2015/01/17/notdane.html


> Certificate Transparency would make it blatantly obvious if any existing CA were being compelled by governments to issue fraudulent certs.

CT makes such an attack obvious, but the harm can't be undone.

A case study: root certificates for the GPKI, the South Korean governmental CA primarily used for public institutions, are not included in most browsers except for maybe IE [1] but frequently trusted due to (still) prevalent uses of ActiveX controls. It is of course subject to CA/B Forum baseline requirements [2] and publishes CT records, so you may guess their "accidentally" invalid wildcard certificates [3] are quickly spotted... Heck no! It was only noticed 3 years later [4]. No one knows what happened in this period.

[1] For example, Firefox doesn't include it: https://bugzilla.mozilla.org/show_bug.cgi?id=1377389

[2] https://cabforum.org/baseline-requirements-documents/

[3] For example, https://crt.sh/?id=6990343 contains a public suffix `.co.kr` (comparable to `.com`). Note that the BR contains very strong requirements for such public suffixes, which the GPKI didn't follow.

[4] https://www.mois.go.kr/frt/bbs/type001/commonSelectBoardArti...


Not only does it not solve this problem, it actually makes controls like this easier to deploy: Kazakhstan controls the keys for its own ccTLD, and will simply require people to use .kz variants of services (and require services to provide those to deploy in Kazakhstan). Many of the most popular sites in Kazakhstan, including Google, are already reached on .kz names.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: