this post was submitted on 22 Aug 2023
573 points (97.0% liked)
Privacy
32120 readers
314 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Can you link to something with more info on how it works? I know how certs work and CAs but not how some random wifi network can hijack that whole trust system. It sounds like it would defeat the whole purpose of https. Thanks in advance.
https://www.cloudflare.com/learning/security/what-is-https-inspection/
https://blog.cloudflare.com/monsters-in-the-middleboxes/
While this has traditionally been achieved by having the end client install a new certificate into their device for the corporations certificate authority, Google and other security firms also offer network appliances that will do this using certificates your device already trusts such as the above Google Trust Services LLC certificate. I've also experienced this 4 years ago with connections intercepted using certs from DigiCert and I'm sure there are others out there.
Https is dependent on a chain of trust, but most end users no little to nothing about it and definitely don't chose which certificates to base that chain of trust on. Instead you're given a set of certificates from the os/software developers and told to trust everything that leads back to those without any idea who has the authority to sign with those certificates.
Theoretically speaking; I could have an insider at letsencrypt who bypasses their check to see if I actually control a particular domain and instead just issues every certificate for any domain I ask for. Your browser wouldn't know the difference, just accepting them as valid certs as they've got the domains you asked for and they're signed by someone the browser trusts.
Google and others sell exactly that service.