[lambdaone]

No, that's not needed at all. If the malicious actor can man-in-the-middle traffic to victimsite.com (say using a BGP hijack), they can serve HTTPS traffic to the end user from their MITM server, secured with a certificate issued to "victimsite.com" that is issued by their own CA, and the MITM can then in turn communicate to the real victimsite.com using HTTPS secured by the real site's certificate, signed by its own CA.

Now, there are CAA DNS records, which serve the purpose of restricting the CAs that can sign a particular domain, which would of course be ignored by the malicious actor, but _could_ be checked by the end user's browser. But to the best of my knowledge, no browser does that.

[ajsnigrutin]

This will get noticed in a matter of seconds.

But if your own government tells your own isp to reroute just your traffic over some MITM proxy, it's only you there to notice, and most probably, you won't.

[lambdaone]

In an ideal world, yes, they would by shut down in seconds. Yet BGP hijacks still occur in the real world; here's one from last month: https://slowmist.medium.com/analysis-of-balancer-bgp-hijacki...

And you're certainly right about government-mandated traffic hijacking.

[smarnach]

You are correct that no browser is looking at CAA records, because it would be wrong to do so. CAA records don't retroactively revoke certificates that have already been issued. Their only purpose is for CAs to check them before issuing a certificate.