Hacker News new | past | comments | ask | show | jobs | submit login

That's why I said "store shipped with the browser". I don't think Kazakhstan has the ability to get Firefox to ship their root cert.

this is kinda rich under an article where they forced a cert into the is trust store. it takes the same amount of effort to get the cert into browser specific stores because these need to be editable and an installer get control of the system anyway

"it rather involves being already at the other end of this airtight d doorway"

the current page ask the user to run an installer, elevating privilege. there's nothing a browser can really do against that. DLL can be replaced and signatures can be tempered etc.

just because you said "ship them with the browse" doesn't make you magically right nor safe under the linked threat

Alerting the user when a MITM certificate is active in the trust store is relying on a completely different threat model than "protect the entire operating system against state-mandated malware". I'm saying browsers should at least do the former. You seem to think that's pointless unless they also do the latter, but of course they can't do that. Some security of the trust store is better than no security.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact