Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
viraptor 3 days ago

QUIC uses TLS1.2 (or higher), so the guarantees are the same as for HTTPS streams. That means it protects the data streams against MitM.

nabla9 3 days ago | parent | next [-]

Not any different from TLS.1.2 over TCP.

https://en.wikipedia.org/wiki/File:HTTP-1.1_vs._HTTP-2_vs._H...

Here is good intro for you:

The Security Challenges of HTTP/3 and QUIC — What You Need to Know https://medium.com/@RocketMeUpCybersecurity/the-security-cha...

lazide 3 days ago | parent | prev [-]

Not if they have a root cert.

viraptor 3 days ago | parent | next [-]

That's not a property of QUIC. Yes, if you trust both sides, then you trust both sides. That's not what people normally understand as MitM.

lazide 2 days ago | parent [-]

Pre-cert usage/issuance lists, it would take a keen eye to spot auto-mitm using root certs.

Thorrez 3 days ago | parent | prev [-]

If China uses a root cert to issue bogus certs, that'll get caught by certificate transparency. Assuming people use browsers that enforce certificate transparency.

eptcyka 3 days ago | parent [-]

Kazakhstan literally forced their own cert for lots of popular sites for a while, expecting users to click the through and accept them. It was made illegal to not accept government certificates.

esafak 3 days ago | parent | next [-]

https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a...

Thorrez 2 days ago | parent | prev [-]

Was Kazakhstan successful? esafak's link seems to imply it wasn't very successful.

Anyways, my point wasn't that a government can't MITM using a root cert. My point is that the government can't do so secretly. The whole world will know if they try.