Hacker News new | ask | show | jobs
by akersten 2173 days ago
Google, Mozilla, et al. should make a commitment to revoke the trust of any CA that is found to partake in behavior like that. Even retroactive revocation of existing certificates shouldn't be off the table if the offense is egregious enough.

It's actually pretty scary seeing just how many CAs are in the list of trusted CAs on any given device. While no government is beyond reproach, I do wish there were a way for me as a user to say "don't trust anything signed by CAs outside of these few countries, since it's most likely a hijack, phishing, or in the rare case that I did try to visit some random site, I can approve it manually."
2 comments
vbezhenar 2172 days ago
Browsers blacklisted Kazakhstan government certificate used for MITM which was not even trusted. It is absurd to expect anything less than blacklisting such a CA immediately. Certificate transparency is required for all certificates since April, 2018, so you can't really issue rogue certificate.
link
razakel 2172 days ago
Here's the Bugzilla report where they actually request their root be added to Firefox:

https://bugzilla.mozilla.org/show_bug.cgi?id=1232689

The answer is basically "no".

link
vbezhenar 2172 days ago
AFAIK they used different certificate for MITM. Currently they are using certificate mentioned in that bug to issue certificates for government websites (like https://elicense.kz/ ), so actually a lot of citizens who need to use government services have to install that certificate as a root anyway.

I don't think that they would use that certificate for MITM. They're not fools and they understand that it would lead to blacklisting it which would halt a lot of operations in the country.

link
int_19h 2168 days ago
> It is absurd to expect anything less than blacklisting such a CA immediately.

Is it, though? Germany has a lot more economic leverage than Kazakhstan. Suppose they pass a law requiring any browser sold or otherwise offered on the German market to have the government certificate in the chain of trust... how many large companies would cave?

link
StavrosK 2172 days ago
Does the browser check?
link
throwawayway9 2172 days ago
You could, for example, use the Certificate Manager in Firefox to delete specific authorities you do not trust.
link