undefined | Better HN

0 pointsgsich7y ago0 comments

And people from that country have those certificates installed? Voluntarily?

0 comments

In case of countries, you don't need the certificate installed for MITM to work. You just need it if you want to get rid of the warning on every single https website. Unless you tunnel your traffic, it's visible.

In case of large corps, you get assigned a laptop / desktop setup by the company. You probably authenticate to the AD and don't even get the privileges to add/remove certificates.

yorwba7y ago

Also, if the country has its own root CA, it can just sign arbitrary certificates. https://en.wikipedia.org/wiki/CNNIC#Fraudulent_certificates

yjftsjthsd-h7y ago

Notice of course that that little stunt resulted in them being removed from everybody's trust stores. And it's not like you can just get away with it these days, since certificates are all publicly logged now.

2 more replies

zeusk7y ago

Just a single data point but the last time I was in Beijing, my iPhone prompted me to install a certificate before I could hop on to the airport WiFi.

I just spent the next 3 hours of the layover without internet.

nabla97y ago

Uyghurs in China need to install mandatory tracking app to their mobile phones.

j / k navigate · click thread line to collapse