←back to thread

Last Chance to fix eIDAS: Secret EU law threatens Internet security

(last-chance-for-eidas.org)
548 points mnot | 2 comments | 02 Nov 23 05:57 UTC | HN request time: 0.39s | source
Show context
5ersi ◴[02 Nov 23 11:55 UTC] No.38112218[source]
If you are concerned by this proposals, then you should check out current CAs trusted by your browser - all those CAs can issue rogue certificates trusted by your browser, that can be used in MITM attack.

For example, CAs present in Firefox, that might give you pause: Beijing Certificate Authority, China Financial CA, Guang Dong CA

The CA system in browsers is inherently broken and it allows state actors to MITM you and see all your traffic if they: 1. have ability to capture IP traffic (requires cooperation with ISP) 2. have ability to generate rogue certificate via cooperation with CA

replies(5): >>38112296 #>>38112304 #>>38112316 #>>38112317 #>>38112423 #
andyjohnson0 ◴[02 Nov 23 12:03 UTC] No.38112317[source]
> For example, CAs present in Firefox, that might give you pause: Beijing Certificate Authority, China Financial CA, Guang Dong CA

For someone living in the West, what are the consequences of deleting or distrusting those CAs?

replies(2): >>38112519 #>>38112751 #
ajsnigrutin ◴[02 Nov 23 12:46 UTC] No.38112751[source]
You lose nothing, gain nothing. It's hard for china to reroute your traffic, and even if they did, what can they do to you after that?

It's your own government that can actually do something bad to you.

(unless you're doing some really really nasty stuff, and china wants to eliminate you for those reasons, and is willing to create a large international incident because of that).

replies(2): >>38113255 #>>38113546 #
1. martin8412 ◴[02 Nov 23 13:30 UTC] No.38113255[source]
Unless it's gotten better, it's super easy for China.. My traffic to EU World of Warcraft servers got hijacked all the time. I don't know if it was malicious or just incompetent Chinese ISPs, but you feel that extra latency when it goes through China.
replies(1): >>38113628 #
2. ajsnigrutin ◴[02 Nov 23 14:02 UTC] No.38113628[source]
But this wasn't a bgp redirect, this was blizzard doing something... if chinese telcos acted as if they were blizzard telcos, there would be bgp filters and a lot of outrage in a matter of minutes. This is not a small deal.