|
|
|
|
|
|
by Maakuth
5386 days ago
|
|
|
For your first point, if they own their own root CA that is trusted by browsers, then the capability is definitely in their hands. And that doesn't need any kind of special hacking capabilities, just signing a certificate that is for Google services. The whole SSL certificate trust hierarchy depends on CAs not being that evil, there is no tech keeping them non-evil. Of course Chrome does certificate pinning at least for their own services, but not the others. But on you second point I agree. If they are prepared to use such capability, it would be really stupid to reveal their will to do such dirty tricks in some ordinary matter - better save it for a real need. |
|
|