Hacker Newsnew | comments | show | ask | jobs | submit login

SSL infrastructure was already known to be best treated as globally compromised.

If this is real, then the Chinese may have collected some interesting statistics regarding the percentage of developers who don't care about certificate issues.

I didn't see the cert appear over the wire myself, but I'm in China at the moment and spent part of this week in communication with the Gentoo and Debian release engineering teams suggesting they revisit perceived issues in their respective key distribution processes and documentation (issues focused on automated validation of install media; not individual packages). Gentoo was already working on it and Debian got back to me pretty quick. I don't feel I was wasting my time now.

Really, we need a key distribution and trust anchor solution for the masses, as Moxie has spoken about, that includes 'trust agility'. IIRC the latest iteration of his proposed solution there is http://tack.io/

It's worth pointing out that many governments have MITM and warrantless surveillance systems, not only the Chinese. For more background see http://wikileaks.org/spyfiles/ which summarizes "Mass interception of entire populations is not only a reality, it is a secret new industry spanning 25 countries." and Jacob Applebaum's keynote at 29C3, https://www.youtube.com/watch?v=QNsePZj_Yks (Youtube is also banned in China).

(edit: posted beneath this thread as moxie is one of the community's most respected parties in this area and just posted, but had some extra info in here! :)




Applications are open for YC Winter 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: