Hacker News new | past | comments | ask | show | jobs | submit login

Stupid question maybe, but could certificate signing keys already be in government hands via backdoor (physical) handshakes/greased palms?

If this is the case, then you have to ask, why is this bill even needed?




A government would still have to make and use their own keys in a man-in-the-middle attack. The forged key means that if anyone bothers to check it will be detected, and there are also various ways that an application can lock the used key to make this impossible. Man-in-the-middle requires a lot of control over the infrastructure, for something that works reliably they would need to cooperate heavily with telcos, and spend a good deal of money.


Thanks for explaining. I did wonder why the downvote from someone, now I understand why


That's a very bold claim, any evidence you can provide to support it? How do the governments sidestep Certificate Transparency, which makes the simple possession of the signing keys ineffective? And have there ever been reports of developers observing these rogue certificates in the wild?


My assumption was that the signed certificates are provided by governments to state owned or shell companies (China having high profile cases of this). But if it really was this simple, it would have been noticed earlier.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: