Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
heavyset_go 12 hours ago

You don't need to break TLS to do IP and domain blocking and redirection.

That said, I'd assume governments have access to root certificates, anyway, but they're only broken out for big investigations or secret dragnet stuff we'll find out about in five decades, if ever.

toast0 11 hours ago | parent [-]

You don't need to break TLS to do IP/domain blocking, but you can't redirect an https page unless you have an acceptable certificate.

> but they're only broken out for big investigations or secret dragnet stuff we'll find out about in five decades, if ever.

Certificate Transparency, where required, makes certificates unusable if they're not published... But that might not be enough information.

vintermann 7 hours ago | parent | next [-]

You certainly can, but you should get a big screaming "this site's certificate is not valid for dodgy-casino.games" warning.

If not, then maybe your browser vendor has been pressured to add some root certificate controlled by the Serbian police, which it approves to issue certificates to impersonate dodgy-casino.games.

10000truths 10 hours ago | parent | prev [-]

This is a DNS hijack, not an HTTPS hijack. The ISP's resolver sees "casino.org" in the A/AAAA query, finds it in a blocklist, and responds with an IP address to a web server that serves a block page (or a CNAME thereto).

michaelmcmillan 10 hours ago | parent [-]

Which is useless if the domain had HSTS enabled, which they should.

10000truths 3 hours ago | parent [-]

HSTS for a domain is trust-on-first-use unless the domain is in the browser's preload list.