Hacker News new | comments | show | ask | jobs | submit login

This seems to assume that the certificate chain in the software available within China is not compromised (aka, "obvious" way to detect MITM).

I honestly don't know if this is a fair assumption or not, it just strikes me as weird that it is not mentioned when first mentioning the "great firewall"

I suppose they could be using cert pinning[1].

[1]: http://www.imperialviolet.org/2011/05/04/pinning.html

You mean Apple? In that case, I don't understand how that would help. The user never sees Apple's certificate, they only see the one presented by the MITM, no?

In this case, if understand the concept correctly, it would be iTunes that pins the certificate authority for the iTunes server.

One would still be vulnerable of a corrupt CA. The only solution to this would be to issue all certificates from an internal CA and verify this in your application.

Or you could just harcode the certificate fingerprint and refuse to accept anything else. It's trivial when you own the client.

I'm not sure if this would break when you needed to renew the certificate, but I guess you only update the signature, not the actual public key.

But if China is already MITM, they can modify or replace the binary while you are downloading it.

Yep. In that case, you don't own the client.

When you ship your own browser and OS you can prob get away with that.


I wish they would address the topic, though. I interpret this article as if they mean that HTTPS solves all censoring and content sensing issues, regardless.

Bad news: apparently China does have compromised certificates:


I wonder if China will ever have a revolution, and if the "winners" will even want to revert to a "normal" Internet. The problem is most Chinese don't even know what that is.

China has a CA. But so do lots of small Latin American countries. It'd be silly to think that a government the size of China cannot compromise some little country's CA. It'd also be silly to think that they cannot get inside at least one US CA. Comodo has shown that their controls are lacking, and that wasn't even a directly compromised employee.

So, China having a CA installed, while not great, certainly isn't giving them control they can't already get. Plus, why would they want to risk their own CA cert doing malicious things, where it'd be directly traceable to them?

>I wonder if China will ever have a revolution

I think, personally, that the Chinese government will just get more democratic over time. It's worth noting that China is certainly moreso now than it was a few decades ago.

The People's Republic of China is more liberal now than a few decades ago, but not more democratic. The leaders are still not elected by the people.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact