[trod1234]

Chain of Trust is the low hanging fruit, there are many other potential avenues that compromise TLS.

If you want to see a full discussion of this exact topic by Cybersecurity professionals, a reddit post covered it a few years ago. I'll include the link below, it covered all the salient points with regards to what a business person should do while in China and what to expect. My response reiterates it, but lacks as much detail.

Attacks have only gotten better since then, you are up against a country that spends trillions on its ability to see and know everything you do digitally within their borders, and they deny service to companies that prevent or limit this mandatory access requirement.

VPN access is illegal in the country without prior government approval from the PRC's MIIT. Your company has to be approved to run a VPN, and that approval often implicitly includes mandatory requirements for decryption at the service provider level. It's largely speculated that Russia does the same through their network of "Red Boxes" that are co-located at ISPs and data exchanges within its respective country.

When decryption is forced, auth token theft is quite simple and bypasses 2FA in many cases.

Link: https://www.reddit.com/r/cybersecurity/comments/121ftg6/can_...