Hacker News new | past | comments | ask | show | jobs | submit login

It exists to intercept https and potentially other TLS traffic. It exists because everybody can make such a certificate. I made such a CA certificate for my personal use, not to MITM myself, but to issue certificates for some internal services that are out of scope of letsencrypt. Every major desktop OS comes with tools that let you make a CA certificate, Windows does, macos does, linux distro usually ship openssl/gnutls/nss tools (as installable packages).

The challenge is not to make it but to get it trusted by OS and software. The Kazakhstan government solved it by having the ISPs just tell people to install the thing themselves into each and every device you own.

Why does the government want this? To snoop on people. Usually framed as "We need to be able to fight terrorists, criminals and/or foreign enemies who 'abuse' encryption to hide their malicious activities". Tho, a lot of times the government will say all people are potential terrorists, and you just don't know if they are until you start snooping on them.

It's not only a thing with just authoritarian regimes, either. Australia passed a law which basically forces Australian companies and citizens to add backdoors in any products using end-to-end encryption (thereby effectively disabling end-to-end encryption) so the government can read communication if they want to.

The UK has a law ("snooper charter") that requires companies to "remove or disable" encryption when the government shows up with a warrant.

The US similarly are looking into end-to-end encryption busting legislation. And they already compelled companies to effective disable encryption systems, e.g. when a judge ordered lavabit (then the email provider Edward Snowden used) to hand over their encryption keys and install a government provided device capable of logging all traffic. And let's not forget that for a long time US law classified strong encryption as a "weapon" which meant you could not export encryption easily. Or the NSA e.g. pushing their backdoor encryption-busting PRNG (Dual_EC_DRBG) and weak encryption schemes (Speck, Simon).

German politicians recently started demanding end-to-end encryption busting legislation too, except they said "we do not want to make encryption weaker or insecure, we just want that the companies give us the plaintext data", which once more shows that they didn't thought it was necessary to do the most basic research into how this stuff works before talking.

It seems like this is material movement toward actual authoritarianism to me.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact