Hacker News new | past | comments | ask | show | jobs | submit login

If a user trusts this root CA (~ "installs the certificate") then someone who controls the root can now make their MITM look like the real deal, because it's trusted. After all you've said you trust them. Whether you _should_ trust the authoritarian government of Kazakhstan is a policy issue.

On its own the root does not magically intercept the traffic, so Kazakh ISPs will need to do a bunch of (potentially quite expensive) work to actually MITM traffic for the Kazakh government, but with the root once that work is done it doesn't get flagged as a problem.

Because this exact same strategy (root that is not trustworthy is installed) is used in corporate setups to do anti-exfiltration, porn filtering and dozens of other things of dubious value, browsers are designed to let you, or the computer's administrator, choose to trust root CAs and indeed lots of counter-measures that protect ordinary users from bad guys are deliberately _disabled_ in the scenario where you've told it to trust some third party. You know best.

If you imagine a hypothetical system which just doesn't trust this root, say somebody has a Raspberry Pi they smuggled across the border, or more prosaically, they just said "No" and refused to install the root certificate -- such a system just will treat the MITM as an error, your secure web browsing won't work because it can't make a secure connection.

Or contrariwise, suppose you install the root in an otherwise ordinary PC in New York connected to AT&T, it will have no effect because the Kazakh government obviously isn't in New York MITMing your connections to other stuff.

How do I know that NSA does not have one root certificate pre-installed in my browser?

Review and compile the browser yourself, or just trust that someone would have found it by now and trust that your browser vendor knows that and would never do it in the first place unless they wanted to kill their browser instantly

The NSA doesn't need a root certificate installed on your computer if they already have the private keys to the root and/or intermediate CA providers.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact