[viraptor]

In case of countries, you don't need the certificate installed for MITM to work. You just need it if you want to get rid of the warning on every single https website. Unless you tunnel your traffic, it's visible.

In case of large corps, you get assigned a laptop / desktop setup by the company. You probably authenticate to the AD and don't even get the privileges to add/remove certificates.

[yorwba]

Also, if the country has its own root CA, it can just sign arbitrary certificates. https://en.wikipedia.org/wiki/CNNIC#Fraudulent_certificates

[yjftsjthsd-h]

Notice of course that that little stunt resulted in them being removed from everybody's trust stores. And it's not like you can just get away with it these days, since certificates are all publicly logged now.

[viraptor]

> since certificates are all publicly logged now.

Only some of them are. All EV and some DV get published.

[yjftsjthsd-h]

Didn't realize that; apparently all Symantec certs require it, and I misunderstood that as industry-wide.

[TomMarius]

Not everybody's. There is whole China where the certs remain installed.

[gsich]

And how is that accomplished? I doubt this will happen on private PCs.