Hacker Newsnew | past | comments | ask | show | jobs | submit | daukadolt's commentslogin

Hi Ahmed,

Hope you are doing well :)

I really enjoyed reading your manifesto — it deeply resonated with me, and I’d love the chance to chat.

I didn’t see specific openings on your careers page, but I’ve submitted my details via the Zoho form just in case.

If the interest is mutual, would love to have a chat!

Best, Daulet


Thanks Daulet for the kind words. Appreciate you taking the time to fill the form. Will reach out soon :))


Can you elaborate?


Can you google "feynman quotes women"?


Why even state it then if you’re not interested in continuing the discussion?


It's a bit too obvious to have potential for a discussion ...


Does such a certificate compromise non-browser traffic as well? Like SSH tunnels, mobile apps, Telegram etc.


SSH doesn't depend on certificate authorities, it's up to you to manage your own keys, each end point also has a uniquely generated signature which avoids MITM after first time auth (including by taking over domains).

This is a HTTPS only issue and fundamentally it's the same problem as control over domains (ease of manipulation through centralisation).


So that means apps like Instagram are safe to chat in?


Not necessarily.

As far as I know, both the apps you mentioned use HTTPS. However, apps have the option of doing what's called Certificate Pinning.

That's when the application ignore OS/User trust settings about certificates, and just allows a list of hardcoded certificates / certificates signed by a hardcoded CA. Akin to how SSH works (kind of...).

If I remember correctly both Telegram and Instagram have pinned their certificates, which would probably block all network communication but not allow for a MITM attack, even if the user installed the KZ root certificate.


I think all Facebook apps do this, and probably most major apps from big companies. I tried to do some research on what requests the Facebook app was making on my phone and it was pretty difficult to get it to allow me to use Charles proxy (when I installed the cert on my phone the app just stopped working) because of the certificate pinning. The only way this would work is if the government created their own FB, etc. app and somehow distributed it.


I guess you'd have to install the certificate on your phone too. I guess that means that visitors to Kazakhstan won't have internet access during their stay, unless they install the malicious certificate on their phones as well. I really hope this doesn't set a precedent.


Inmarsat offers relatively slow, very expensive satellite Internet uplink services if you really need some connectivity: https://www.inmarsat.com/service/isathub/


Just don't install that certificate. If something stops working, you'll know that they tried to break that channel. If something's working, then it's OK. And if you need things to work, use VPN.


SSH no, mobile apps and telegram probably if they use TLS.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: