[noragami]

Hijacking the comment for better visibility. After getting some backlash, the government has already backed down. They claim that installing the certificate is entirely voluntary.

https://rus.azattyq.org/a/30064788.html

They have been talking about this stuff for some years, though. It will get implemented at some point. I have a feeling it was one of their "test trials": can we boil the frog yet, or do we have to heat the water up a bit more?

[Ajedi32]

Are you sure that's really them backing down, and not just a way to obfuscate the issue? Technically yes, installing the certificate is voluntary; it's just that if you don't install it you won't be able to access the internet anymore when the government starts MITMing your connections.

[stirfrykitty]

Let's say they make it mandatory. Would it be possible for a group of people with one having unfettered access because, say, they cross the border all the time to a place that has full Internet, and they use wget to tar/gzip entire sites, places this on a server in a city, and provides access with a self-signed cert that everyone involved with knows about.

Or failing that, some kind of digital dead drop with the files. If this could be updated a few times a week, that's better than not having access to material that you don't want the government to know about. It has to be possible.

[LinuxBender]

Folks should also periodically get fingerprints of sites they often use and keep logs of them, so that you might notice if something changes.

example:

    openssl s_client -servername www.paypal.com -connect www.paypal.com:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin                                                 
    SHA1 Fingerprint=E8:20:7A:27:8C:BE:D4:D9:7F:44:32:89:E7:6B:13:DD:CE:58:50:F6

Perhaps put all the sites you visit into a text file and loop through them into a date based file or append with date stamps. If enough people did this, you could probably even spot when an entire region is doing something shady or a company was potentially compromised.

[JoshTriplett]

Also see https://www.eff.org/observatory and https://www.grc.com/fingerprints.htm

[vbezhenar]

They are not backing down, they just saying meaningless words. My wife phone is MITMed right now and she can't open facebook, for example. How is it voluntary?