[gsich]

And people from that country have those certificates installed? Voluntarily?

[viraptor]

In case of countries, you don't need the certificate installed for MITM to work. You just need it if you want to get rid of the warning on every single https website. Unless you tunnel your traffic, it's visible.

In case of large corps, you get assigned a laptop / desktop setup by the company. You probably authenticate to the AD and don't even get the privileges to add/remove certificates.

[yorwba]

Also, if the country has its own root CA, it can just sign arbitrary certificates. https://en.wikipedia.org/wiki/CNNIC#Fraudulent_certificates

[yjftsjthsd-h]

Notice of course that that little stunt resulted in them being removed from everybody's trust stores. And it's not like you can just get away with it these days, since certificates are all publicly logged now.

[viraptor]

> since certificates are all publicly logged now.

Only some of them are. All EV and some DV get published.

[yjftsjthsd-h]

Didn't realize that; apparently all Symantec certs require it, and I misunderstood that as industry-wide.

[TomMarius]

Not everybody's. There is whole China where the certs remain installed.

[gsich]

And how is that accomplished? I doubt this will happen on private PCs.

[zeusk]

Just a single data point but the last time I was in Beijing, my iPhone prompted me to install a certificate before I could hop on to the airport WiFi.

I just spent the next 3 hours of the layover without internet.

[nabla9]

Uyghurs in China need to install mandatory tracking app to their mobile phones.