On Wed, 15 Aug 2018 at 14:04, Martin - StudioCoast < martin.sincl...@studiocoast.com.au> wrote:
> The root certificate would facilitate re-encrypting of the connection at > the ISP end. > Or the government could just force certificate authorities to hand over > the private keys. There have been reports this might already have occurred > in other countries. > A MITM attack,effectively? That only works if the app chooses to use the root certificate in question - effectively you load the root certificate into either the OS or the application certificate store, and then use that certificate (or a certificate that uses it as a root of its trust path) to encrypt the data. The government then intercepts the data, decrypts it, then re-encrypts it and passes it on to the destination. It works with browsers because their default behaviour is to trust the certs in the certificate store, and the browser then sees the connection as secure (so you get a green address bar or tick or whatever the browser chooses to display), but can actually be foiled if the user bothers to check the certificate being presented and finds that instead of the bank's SSL certificate, the browser tells them that it's the government's root cert (or a subordinate of it) in use. That won't work for apps that create their own encryption keys (or better yet, rolls them over frequently), and certainly won't work for apps that are specifically created to bypass government interception. There have been discussions in the browser community on how to best deal > with this, there are already a few approved certificate authorities out > there with government ties: > https://wiki.mozilla.org/CA:GovernmentCAs > Frankly, if a terrorist organisation or paedophile ring are using apps that use a certificate store that the government can compromise, they're not competent enough to be a problem.
_______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net http://lists.ausnog.net/mailman/listinfo/ausnog