Hacker News new | ask | show | jobs
by cthalupa 2600 days ago
It explicitly does not. It means there are additional barriers to doing it - people would need to accept a bad cert (we already know the overwhelming majority will), or they would need to slip in their own CA that allows them to generate their own valid certs for MITM, but that is eminently doable for the Chinese government inside of China. They can then block all traffic for people that do not use the cert that allows them to decrypt said traffic. It functionally is the exact same thing, and would still allow "legitimate" traffic without problem.
2 comments
lugg 2600 days ago
That's not what explicitly means. Ssl explicitly does prevent mitm attacks from intercepting URLs of requests.

The fact you can get around it by ignoring the cert is a bit irrelevant. It's like saying locks don't work because people can break your window.

link
cthalupa 2595 days ago
As noted, you don't have to ignore the cert, and we're talking about state level actors.

And it's not the window. It's like saying locks don't work if the state has a master key, which they do.

link
sroussey 2600 days ago
They already have their own CA in browsers, so they can easily MITM. That’s why mobile apps will use certificate pinning to verify their server
link