undefined | Better HN

0 pointsJensson2y ago0 comments

Governments still can't see your requests to servers under normal circumstances with this law.

The weakness is only if someone controls your internet connection and can use a compromised certification process to trick you into thinking you are at "e2e.com" when you are on another site, and in those cases the only difference from now is that your browser will display "secure" instead of "invalid cert". There is no other difference.

So to orchestrate an attack they would need to build an webbapp that is sufficient similar for you not to notice, take over your internet connection and break the certification process.

0 comments

calgoo2y ago

"The weakness is only if someone controls your internet connection and can use a compromised certification process to trick you into thinking you are at e2e.com"

That will be (or already is) done at ISP level. It will probably be fully automated, where they just put a court order number into a form, and it automatically just catches all your traffic in gear that's installed at the ISP.

JenssonOP2y ago

It is only undetectable if the site actually uses the vulnerable certificates. Otherwise you can see that the government is spying on you since the browser tells you what certificate it got (Telling you what certificate was used is a part of eIDAS). There is no way the government will replace certificates like that on an automated basis, it is too easy for people to notice and make a big deal about.

supriyo-biswas2y ago

If a nonprofit like Let’s Encrypt can perform automated certificate renewal with a few API calls, so can the government.

Also, MITMs are a thing and getting the EIDAS certs in the root store will show that the certs in question are trusted, which is all that really matters because there is no way for users to know what certificates were actually installed by the website owner.

1 more reply

g-b-r2y ago

There's probably at most one person every ten millions who uses add-ons displaying each connection's certificate authority; and even them will likely not notice anything if it's only done to them occasionally (not to mention that absolutely no one checks the connections used to download third-party stuff, to my knowledge).

1 more reply

g-b-r2y ago

> the only difference from now is that your browser will display "secure" instead of "invalid cert". There is no other difference.

Oh that's SUCH as an insignificant difference!!!

> So to orchestrate an attack they would need to build an webbapp that is sufficient similar for you not to notice, take over your internet connection and break the certification process.

You can simply relay the requests to the original site/"webapp", no need to build one similar

JenssonOP2y ago

> You can simply relay the requests to the original site/"webapp", no need to build one similar

Doesn't work if the app encrypts messages locally, so end to end encryption is still valid with this.

g-b-r2y ago

We're talking about normal browsing, not webapps performing their encryption

1 more reply

j / k navigate · click thread line to collapse

0 pointsJensson2y ago0 comments

Governments still can't see your requests to servers under normal circumstances with this law.

So to orchestrate an attack they would need to build an webbapp that is sufficient similar for you not to notice, take over your internet connection and break the certification process.

0 comments

calgoo2y ago

"The weakness is only if someone controls your internet connection and can use a compromised certification process to trick you into thinking you are at e2e.com"

JenssonOP2y ago

supriyo-biswas2y ago

If a nonprofit like Let’s Encrypt can perform automated certificate renewal with a few API calls, so can the government.

1 more reply

g-b-r2y ago

1 more reply

g-b-r2y ago

> the only difference from now is that your browser will display "secure" instead of "invalid cert". There is no other difference.

Oh that's SUCH as an insignificant difference!!!

> So to orchestrate an attack they would need to build an webbapp that is sufficient similar for you not to notice, take over your internet connection and break the certification process.

You can simply relay the requests to the original site/"webapp", no need to build one similar

JenssonOP2y ago

> You can simply relay the requests to the original site/"webapp", no need to build one similar

Doesn't work if the app encrypts messages locally, so end to end encryption is still valid with this.

g-b-r2y ago

We're talking about normal browsing, not webapps performing their encryption

1 more reply

j / k navigate · click thread line to collapse