Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ceejayoz 3 days ago

How closely have you reviewed your browser's list of default trusted CAs?

distill17801 3 days ago | parent | next [-]

I second this: HTTPS (as most consumers use it) is probably a front (who are these CA's really anyway?)

Plot twist: _Perhaps_ Mythos / Fable keeps explaining ways (that we can't comprehend or don't always work) to break HTTPS due to the three letter agencies making sure they had input on their creation (and thus backdoors, I mean "bugs"), so the real catastrophe they are hiding is that HTTPS is broken (for most people, most of the time.)

Remember when Quantum computing was the threat to HTTPS? Turns out it was the humans own inability to think outside of the box!

ceejayoz 3 days ago | parent [-]

I wouldn't go that far. I remember https://en.wikipedia.org/wiki/Firesheep - HTTPS-everywhere was unambiguously an improvement over the status quo.

It just doesn't protect you all that well from nation-scale adversaries.

parineum 3 days ago | parent | prev [-]

My trusted CA doesn't have my private key, they only attest that my public key belongs to me.

ceejayoz 3 days ago | parent [-]

Your many, many default-trusted CAs can mint new certs for the sites you visit.

parineum 2 days ago | parent [-]

Which would be easily detectable if the cert I'm using on my server didn't match the one that was being served publicly.

There's really no way this conspiracy theory works if "they" have a copy of every single private cert generated. Which would be impressive because I can generate one myself and get it trusted without ever sending it and would be easily able to detect a MITM attack.

Not to mention most sites are going to use pinned certs so any repeat visitors to a site will notice a cert change associated with a MITM.

This whole idea relies on the assumption that everyone is trusting third parties with their private certs. That is not at all required.

ceejayoz 2 days ago | parent [-]

> Which would be easily detectable if the cert I'm using on my server didn't match the one that was being served publicly.

I'm not sure why your focus is so heavily on your server. Is that the only thing on the internet you care about?

> Not to mention most sites are going to use pinned certs so any repeat visitors to a site will notice a cert change associated with a MITM.

Most haven't even heard of pinned certs.

https://dl.acm.org/doi/10.1145/3517745.3561439

"we find that 0.9% to 8% of Android apps and 2.5% to 11% of iOS apps use certificate pinning at run time"