[toxicFork]

Asked in another thread but it went down because the post linked was taken down it seems[0]:

Would it have been prevented if Baidu served the .js files only over https? Are there any reasons of using http for anything that Baidu serves?

[0] https://news.ycombinator.com/item?id=9275201

[dengnan]

Probably, yes. But considering that CNNIC, a root CA from China, is issuing unauthorized certificates [0], I cannot help to connect these two events together. I won't be surprised that Chinese government is using unauthorized certificates to initiate MITM attack specifically targeting TLS traffics. If that is the case, there will be really bad days for the whole Internet.

0. http://googleonlinesecurity.blogspot.com/2015/03/maintaining...

[toxicFork]

Well, that sucks. That effectively makes HTTPS worthless there doesn't it?

Also on the other link I have seen another relevant article [0] on how BitTorrent could be used for attacks from China.

Scary stuff.

[0] http://furbo.org/2015/01/22/fear-china/

[mikeash]

CAs aren't geographically limited. Any CA trusted by your computer is trusted for any domain anywhere (with the exception of certificate pinning, which isn't commonly used). That means that a single rogue CA is enough to make HTTPS worthless everywhere.

[bbatsell]

Mozilla actually has done this (sort of), once. They restricted French agency ANSSI's root CA to only be valid for TLDs ending in .fr, .gp, .gf, .mq, .re, .yt, .pm, .bl, .mf, .wf, .pf, .nc, .tf.

https://wiki.mozilla.org/CA:IncludedCAs

[teknologist]

They could also strip the https and serve everything over http through the firewall. The fact that the firewall exists is accepted in China so I don't see why they couldn't pull that off too.

[toong]

For this to work properly, it requires https only, to prevent downgrade attacks (you stated that).

Google analytics is also served both over http & https ? Can anyone shine a light on that ?

[pingooo]

From https://developers.google.com/analytics/devguides/collection...

ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';