Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
basilikum an hour ago

For the vast majority of cases, would anyone notice these malicious certificates being created and logged?

toast0 17 minutes ago | parent | next [-]

I don't subscribe for my personal domains, because who cares, but when I was in charge of certificates for something important I subscribed to notifications from several providers to make sure I didn't miss anything.

I would like to think at least all the high profile destinations have someone watching.

nickf 40 minutes ago | parent | prev | next [-]

For any target of sufficient value that a government would do that, yes. Of course it doesn't happen anyway, because governments don't have some kind of secret access to CAs.

tialaramex an hour ago | parent | prev [-]

What constitutes the "vast majority" ? Periodically I check mine, and I sometimes have reason to check others, I no longer run my own log auditing (I did when I worked somewhere else because it was close to my main field of interest) but other people do.

basilikum 35 minutes ago | parent [-]

How can you check other people's certs? How do you know whether a cert issued is authorized by them or not?

The only one who can check for maliciously published certs is the entity authorized to request them. I think most companies are happy when they manage to have valid, not expired certs and do not care too much about making sure there are not too many of them.

You are right that if the state would start issuing malicious certs en mass that would be found out quickly. But I think very targeted selected operations against entities where they know the entity is unlikely to surveil for unauthorized certs are very much possible.

I'm not arguing for going into conspiratorial thinking and claiming CAs are all compromised and issuing malicious certs all the time. But I do think that it is feasible for states to use CAs under their direct or indirect control to run targeted attacks. I think that is a plausible, serious risk that we do not care enough about and that we should do something about. There is a multitude of precedence starting from LavaBit over the wiretapping of jabber.ru^1, ANOM^2 to CryptoAG^3 that supports this conclusion.

[1]https://notes.valdikss.org.ru/jabber.ru-mitm/ [2]https://en.wikipedia.org/wiki/Operation_Trojan_Shield [3]https://en.wikipedia.org/wiki/Crypto_AG