[tomxor]

SSH doesn't depend on certificate authorities, it's up to you to manage your own keys, each end point also has a uniquely generated signature which avoids MITM after first time auth (including by taking over domains).

This is a HTTPS only issue and fundamentally it's the same problem as control over domains (ease of manipulation through centralisation).

[daukadolt]

So that means apps like Instagram are safe to chat in?

[filleokus]

Not necessarily.

As far as I know, both the apps you mentioned use HTTPS. However, apps have the option of doing what's called Certificate Pinning.

That's when the application ignore OS/User trust settings about certificates, and just allows a list of hardcoded certificates / certificates signed by a hardcoded CA. Akin to how SSH works (kind of...).

If I remember correctly both Telegram and Instagram have pinned their certificates, which would probably block all network communication but not allow for a MITM attack, even if the user installed the KZ root certificate.

[yladiz]

I think all Facebook apps do this, and probably most major apps from big companies. I tried to do some research on what requests the Facebook app was making on my phone and it was pretty difficult to get it to allow me to use Charles proxy (when I installed the cert on my phone the app just stopped working) because of the certificate pinning. The only way this would work is if the government created their own FB, etc. app and somehow distributed it.