undefined | Better HN

0 pointsJensson2y ago0 comments

You still wont be able to break the end to end encryption of a site. You can only intercept traffic that the server can read, you can't intercept traffic that are encrypted end to end.

And if the site can see your data assume the government can see it as well, they can get it with a warrant.

0 comments

isilofi2y ago

Website-based end-to-end encryption isn't usually. In most cases, the "e2e-encrypting" website will deliver the Javascript that does the "e2e-encryption", which can easily be manipulated to provide a copy of all messages to some convenient third location.

A warrant will maybe warn the site and the user that something is going on.

A man-in-the-middle attack without a warrant delivered to either party is more likely to go undetected.

JenssonOP2y ago

> which can easily be manipulated to provide a copy of all messages to some convenient third location.

Updating others javascript as a proxy isn't "easily".

Also if the government goes all this way to tell each internet provider to spy on people, why do you think they couldn't tell certificate authorities to spy on people? It is the same level. I wouldn't be surprised if many CA's in USA already does this.

isilofi2y ago

It is "easily", because current commercially available "firewall" appliances include that kind of capabilities. Just a few clicks, install a CA certificate, add a logging endpoint, done. Certain regulated industries like finance and medicine are required to use those. All chats are instantly intercepted and logged.

And the way to spy on people via a certificate authority is exactly as described, you get a CA that signs your man-in-the-middle certificate for a website you do not own. Then you MitM that traffic using that certificate, while still getting a green "lock" icon.

With current WebCA certificates, certificate transparency does help a little to detect such MitM certificates, and some CAs have actually been caught red-handed. There are processes to punish or remove such CAs. However, this law would also prevent such actions, thus making it impossible to prevent any future malfeasant CAs.

About an example MitM certificate case and removal, see the DigiNotar case: https://blog.mozilla.org/security/2011/08/29/fraudulent-goog...

For more about how certificate transparency works see http://nil.lcs.mit.edu/6.824/2020/papers/ct-faq.txt

1 more reply

j / k navigate · click thread line to collapse

0 comments

isilofi2y ago

A warrant will maybe warn the site and the user that something is going on.

A man-in-the-middle attack without a warrant delivered to either party is more likely to go undetected.

JenssonOP2y ago

> which can easily be manipulated to provide a copy of all messages to some convenient third location.

Updating others javascript as a proxy isn't "easily".

isilofi2y ago

About an example MitM certificate case and removal, see the DigiNotar case: https://blog.mozilla.org/security/2011/08/29/fraudulent-goog...

For more about how certificate transparency works see http://nil.lcs.mit.edu/6.824/2020/papers/ct-faq.txt

1 more reply

j / k navigate · click thread line to collapse