On Mon, May 20, 2019 at 9:20 AM Stephen Gallagher <sgall...@redhat.com> wrote: > > On Mon, May 20, 2019 at 8:53 AM Danishka Navin <danis...@gmail.com> wrote: > > Seems government is working with Chinese tech people to run mass online > > surveillance system. > > http://www.themorning.lk/china-styled-mass-online-surveillance/ > > > > > > But I am not clear how Root CA can use to SSL MITM attack instead of user > > cert. > > > > If you trust a root CA for signing websites, then they can sign a new > certificate for google.com, then modify DNS to send you to a > non-Google server presenting their certificate, signed by the corrupt > CA. They'd decrypt all of your traffic, read it, re-encrypt it with > the real google.com cert and pass it along. You would still see the > website you expect to, but in the middle all of your traffic is > exposed to the man-in-the-middle server.
It's typically detectable by delays because the SSL connection occurs twice, but given the clients are in China, well, some delays are not shocking. _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
