Hacker News new | ask | show | jobs
by whelp_24 962 days ago
You should read the letter, it's worse than that. It makes these gov CA's unrejectable, along with providing a means of tracking your activity. Essentially, it's like giving your least trusted eu country access to your browsing history and some of your decrypted traffic.

They could have reduced scope, but looking at effects perhaps that's not what they actual want.
1 comments
stinos 961 days ago
It makes these gov CA's unrejectable

That part I understood

along with providing a means of tracking your activity. Essentially, it's like giving your least trusted eu country access to your browsing history and some of your decrypted traffic.

This one though, not quite. Can you explain in layman terms, maybe by means of a practical example, how this would work exactly and what is needed for it?

link
vorpalhex 961 days ago
You are sending letters to your friend and getting their replies back in the mail.

You know your government delivers your letters and they could open them and read them, but you trust your government to keep your info private and use this power well.

The current regulation would mean any government can peek at your letters, and even if they got caught peeking or letting their friends read your letters, your mail carrier can't do anything. They aren't even allowed to ban the other governments friend from reading your mail.

If you had a friend who tried to help you write in secret code to avoid these other governments or strangers from reading your mail, they would be risking jail time.

Not only do you have to trust your government, but you must trust every government in the EU and if they get caught misbehaving, nobody can do anything about it.

(Practically, any government can MITM any ssl connection and read or alter things at will.)

link
stinos 961 days ago
Thanks, but I wasn't actually looking for an analogy. I'm trying to understand things like how the government (or whatever actor) would gain access to browser history via a MITM attack for instance.
link
judge2020 961 days ago
They wouldn't gain access to previous browser history, but as soon as they issue a certificate for a website they can get ISPs to use that certificate for MITM.
link
vorpalhex 958 days ago
Any MITM attack is always going to be going forward, not in reverse, at least to capture authentication sessions (and then you can root around in someone's account).

1. Compromised WiFi networks ("McDonald's Free Wifi")

2. BGP Hijacks (these tend to get noticed)

3. Malware running a local proxy (Malware can try to inject it's own cert into the store too but that cert would be compromised by CT/AV/etc. A proxy with a valid gov cert would be much harder to detect.)

4. Compromised cell sites (stingray type devices)

5. Mistyped urls, often in combo with spear phishing.

link