Hacker News new | comments | show | ask | jobs | submit login

I suppose they could be using cert pinning[1].

[1]: http://www.imperialviolet.org/2011/05/04/pinning.html

You mean Apple? In that case, I don't understand how that would help. The user never sees Apple's certificate, they only see the one presented by the MITM, no?

In this case, if understand the concept correctly, it would be iTunes that pins the certificate authority for the iTunes server.

One would still be vulnerable of a corrupt CA. The only solution to this would be to issue all certificates from an internal CA and verify this in your application.

Or you could just harcode the certificate fingerprint and refuse to accept anything else. It's trivial when you own the client.

I'm not sure if this would break when you needed to renew the certificate, but I guess you only update the signature, not the actual public key.

But if China is already MITM, they can modify or replace the binary while you are downloading it.

Yep. In that case, you don't own the client.

When you ship your own browser and OS you can prob get away with that.


I wish they would address the topic, though. I interpret this article as if they mean that HTTPS solves all censoring and content sensing issues, regardless.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact