Hacker News new | past | comments | ask | show | jobs | submit login

If the Chinese government controls a single CA that's installed by default, couldn't they MitM any TLS connection that isn't pinning certs?

Are there any Chinese CAs in any browsers' default installs? If so, they should probably be removed immediately.




CNNIC is no longer trusted by Chrome due to recent incidents, and you can manually remove it from Firefox and IE. While you're at it, take a few minutes to browse the list and also remove anything that sounds Chinese.

If any website you visit legitimately uses a Chinese SSL certificate, you can whitelist it specifically. I actually do this for SSL certificates signed by my own country's CA (not China), and it works wonderfully.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: