Last Chance to fix eIDAS: Secret EU law threatens Internet security

(last-chance-for-eidas.org)

548 points mnot | 1 comments | 02 Nov 23 05:57 UTC | HN request time: 0.194s | source

Show context

5ersi ◴[02 Nov 23 11:55 UTC] No.38112218[source]▶

If you are concerned by this proposals, then you should check out current CAs trusted by your browser - all those CAs can issue rogue certificates trusted by your browser, that can be used in MITM attack.

For example, CAs present in Firefox, that might give you pause: Beijing Certificate Authority, China Financial CA, Guang Dong CA

The CA system in browsers is inherently broken and it allows state actors to MITM you and see all your traffic if they: 1. have ability to capture IP traffic (requires cooperation with ISP) 2. have ability to generate rogue certificate via cooperation with CA

replies(5): >>38112296 #>>38112304 #>>38112316 #>>38112317 #>>38112423 #

gchamonlive ◴[02 Nov 23 12:03 UTC] No.38112316[source]▶

>>38112218 #

It's not like Beijing CA can issue a rogue certifcate and suddenly a malicious actor would be able to decrypt all your internet traffic. You would have to connect to a service that uses those certificates in the first place.

An interesting experiment would be to log all certificates used by the sites you normally use, say for a month, and then look at the list for anything shady. I have no ideia if an extension exists that would allow such and experiment, but the resulting list would be much more useful.

replies(2): >>38112438 #>>38112465 #

1. miohtama ◴[02 Nov 23 12:18 UTC] No.38112465[source]▶

>>38112316 #

In the case of mainland China, it’s easy for the Party 1) issue a malicious certificate and 2) redirect your Internet traffic to MITM box. They do 2) for all the time when blackholing Internet traffic.

With certificate logs there is a chance, I don’t know how high, to catch 1).

↑