[buraktamturk]

There is law in Turkey which is passed in the state of emergency (2016) and these laws later become permanent. If the government demanding anything from a Turkish company and this demand will not be complied quickly, then the government takes the control of the company (replacing boss, changing banking passwords) temporarily in order to comply. This process does not involve judicial authority but an administrative one. It wouldn't matter if it involved judicial authorities because justice system is worst kind of joke.

I know it because they took control of our company in 2016. The reason in the decision: "inspector found no evidence of tax evasion, which is suspicious for a Turkish company, therefore we take control of the company." (not joking)

[josephcsible]

I wish the TLS Name Constraints extension were widely supported. Then browser vendors could just say that until that law gets repealed, they won't accept root CAs from any Turkish entities without a Name Constraints extension limiting them to only sign within the .tr TLD.

[NovemberWhiskey]

X.509 Name Constraints are widely supported in browsers at this point - ref. https://bettertls.com - at least for DNS SANs and for the common cases.

[jeroenhd]

This is why certificate transparency is so important. They can sign fraudulent certificates and MitM websites for a short while, but the CA will probably be permanently blacklisted if any browser in the wild encounters these certificates.

Turkey can eliminate their trust based companies one by one if they deem it necessary, but for a government seemingly trying to focus on export the distrust would probably hurt more than it would yield. See DigiNotar and WoSign/StartCom.

[buraktamturk]

It is very easy for Turkish government to issue fake certificates via a Turkish company. They did it with Turktrust once (CA certificate issued to EGM and EGM issued a cert for *.google.com, EGM stands for Turkish Police), they can do it again.

[bombcar]

Any government that can seize the domain can issue a fake cert for that domain, so no matter what is put in place, the Turkish government could always issue a fake cert for .tr - or any other domain owned by a Turkish company.

The *google.com stuff is the more dangerous, but that can be detected pretty quickly if widely deployed - the intelligent way would be to only do so in very target situations and very, very rarely.

(Google added certificate pinning and other things to try to protect against this in the future)

[buraktamturk]

No government can do it as easy as Turkish government, in many of the countries they have laws and there are mechanisms to ensure they are followed - if not there are punishments. Turkey does not have laws as for 2022 (they only exists on paper and no one cares). If Turkey does this there won't be any punishment to itself for harming the CA company and any journalist reporting this incident will be thrown to jail, if not killed for exposing Turkish Intelligence secrets.

The probabilities talk. 0.00001% this is happening in Europe (which would ended up with punishment for liable parties) vs. >50% this is happening in Turkey (punishment of journalists for exposing this etc).

[lmm]

If a country is corrupt from top to bottom then it doesn't really matter what the laws are.

But in the US the same thing can happen completely legally, via a National Security Letter, with no real oversight or appeal. And much of Europe is starting to follow the same path.

[bombcar]

Sure, Turkey is way more likely to do it than other countries, but it is done in various places and various ways - the US even has a default page for "this domain has been seized" and they've been known to run "illegal" domains for quite awhile collecting data.

[buraktamturk]

Which is not the same thing with issuing rouge certificates to MitM you, especially for political purposes. For example, a winner of local best talent TV show (Atalay Demirci)'s Twitter account hacked and his messages published online and just because of his ordinary messages with a former Turkish deputy (Hakan Sukur), who is now in exile in the U.S. - he got jailed for political reasons.

So a rouge certificate for *.twitter.com can really ruin ordinary people life in Turkey. We are talking about a human life here.