Hacker News new | ask | show | jobs
by buraktamturk 1317 days ago
It is very easy for Turkish government to issue fake certificates via a Turkish company. They did it with Turktrust once (CA certificate issued to EGM and EGM issued a cert for *.google.com, EGM stands for Turkish Police), they can do it again.
1 comments
bombcar 1317 days ago
Any government that can seize the domain can issue a fake cert for that domain, so no matter what is put in place, the Turkish government could always issue a fake cert for .tr - or any other domain owned by a Turkish company.

The *google.com stuff is the more dangerous, but that can be detected pretty quickly if widely deployed - the intelligent way would be to only do so in very target situations and very, very rarely.

(Google added certificate pinning and other things to try to protect against this in the future)

link
buraktamturk 1317 days ago
No government can do it as easy as Turkish government, in many of the countries they have laws and there are mechanisms to ensure they are followed - if not there are punishments. Turkey does not have laws as for 2022 (they only exists on paper and no one cares). If Turkey does this there won't be any punishment to itself for harming the CA company and any journalist reporting this incident will be thrown to jail, if not killed for exposing Turkish Intelligence secrets.

The probabilities talk. 0.00001% this is happening in Europe (which would ended up with punishment for liable parties) vs. >50% this is happening in Turkey (punishment of journalists for exposing this etc).

link
lmm 1316 days ago
If a country is corrupt from top to bottom then it doesn't really matter what the laws are.

But in the US the same thing can happen completely legally, via a National Security Letter, with no real oversight or appeal. And much of Europe is starting to follow the same path.

link
bombcar 1317 days ago
Sure, Turkey is way more likely to do it than other countries, but it is done in various places and various ways - the US even has a default page for "this domain has been seized" and they've been known to run "illegal" domains for quite awhile collecting data.
link
buraktamturk 1317 days ago
Which is not the same thing with issuing rouge certificates to MitM you, especially for political purposes. For example, a winner of local best talent TV show (Atalay Demirci)'s Twitter account hacked and his messages published online and just because of his ordinary messages with a former Turkish deputy (Hakan Sukur), who is now in exile in the U.S. - he got jailed for political reasons.

So a rouge certificate for *.twitter.com can really ruin ordinary people life in Turkey. We are talking about a human life here.

link