biscuitswalrus@aussie.zone 2 days ago
A country for example could enact their mandatory certificate authority that they control. Then have ISPs who are in the middle use what was mandatory a trusted CA to act as the certificate issuer for a proxy. This already exists in enterprise, a router or proxy appliance is a mitm to inspect ssl traffic intercepting connections to a website say Google, but instead terminates that connection on itself, and creates a new connection to Google from itself. Since the Google certificate on the client side would be trusted from the proxy, all data would be decrypted on the proxy. to proxy data back to clients without a browser certificate trust issue, they use that already mandated CA that they control to create new certificates for the sites they’re proxying the proxy reencrypts it back to the client with a trusted certificate and browsers accept them.
It’s actually less than theoretical, it’s literally been proposed in Europe. This method is robust and is already what happens in practice in enterprise organisations on company devices with the organisations CA certificate (installed onto organisation computers by policy or at build time). I’ve deployed and maintained this setup on barracuda firewalls, Fortigate firewalls and now Palo alto firewalls.
throwawayacc0430@sh.itjust.works 2 days ago
Wow, I wonder why Russia and China haven’t done this yet.
I mean, the US, people have guns, so implementing this might cause people to just start rioting.
But Russia and China has strict gun controls, its totally feasible to implement this.
LyingCake@feddit.org 1 day ago
I think this is a very short-sighted, surface level take that shows of a very naive understanding of how societies become more totalitarian.
biscuitswalrus@aussie.zone 2 days ago
They could be, but I assume say like an apple device won’t install a ccp root authority unconditionally. Huawei and xiamoi probably could be forced, but the browser too, like Chrome, Firefox and safari need to also accept the device certificates as trusted.
But the pressure in Europe would likely be to trade within Europe, you must comply.
It fundamentally destroys the whole trust of PKI if this did go ahead. We just need to hope it does not.
throwawayacc0430@sh.itjust.works 2 days ago
They already removed VPN apps from the Mainland China version of the Apple App Store. In capitalism, profits are above everything else. China is a very large market with 1.4 Billion people, I doubt Apple is gonna be willing to lose access to this market.