|
|
|
|
|
|
by tony101
3155 days ago
|
|
|
EV certificates must be submitted to CT logs, which means ProtonMail and the public will be able to detect the malicious certificate. If it's not a EV certificate, the browser user interface changes and a security-conscious user may notice. That said, if a powerful government is after a user specifically, it is just a matter of time and effort before the government gets in. |
|
|
This is often used as an argument by EV advocates, but it doesn't hold up under scrutiny. An attacker with access to a non-EV certificate can selectively intercept only connections for subresources of the targeted site (i.e. JavaScript). The "main" connection would still use the EV certificate and thus show the browser indicator. This attack was first made public in 2008[1] and has been further refined in later work[2].
HPKP and the Expect-CT header provide some viable mitigations for this. That said, it seems unlikely to me that a nation-state adversary would choose to attack at the Web PKI level in this scenario. Compromising ProtonMail or the user's device would probably cheaper and less likely to be detected.
[1]: http://w2spconf.com/2008/papers/s2p1.pdf
[2]: https://www.blackhat.com/presentations/bh-usa-09/SOTIROV/BHU...