Hacker News new | ask | show | jobs
by 4ad 5135 days ago
You seem to be unaware that businesses (and governments) can legitimately buy keys that allow MITMing SSL connection or they could just be a CA themselves (no problem for China).

It is annoying that people downvote you instead of explaining your error in your assumption about SSL.
1 comments
hasker 5135 days ago
Yes, but then that bogus certificate is in the wild. Once once someone has a copy of a bogus certificate, then they can prove that that CA is corrupt. That CA loses its business model. What I am saying does not prevent one-off attacks, but all it takes is one person to capture a bad certificate to discredit a CA. Hence it would not work in a universal censorship scheme as Google is combating. Maybe I am still overlooking something, and I suppose China could just SSL proxy the whole country, which would defeat all of this.
link
4ad 5132 days ago
You are very confused about how SSL in the context of HTTP works. Here's the best talk I know of this subject:

BlackHat USA 2011: SSL And The Future Of Authenticity: http://www.youtube.com/watch?v=Z7Wl2FW2TcA

link