• tal@lemmy.today
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    5 months ago

    I don’t see why they wouldn’t, or couldn’t do this

    There are only 52 organizations that Firefox trusts to act as CAs. An ISP isn’t normally going to be on there.

    https://wiki.mozilla.org/CA/Included_Certificates

    https://ccadb.my.salesforce-sites.com/mozilla/CACertificatesInFirefoxReport

    If whatever cert is presented by a remote website doesn’t have a certificate signed by one of those 52 organizations, your browser is going to throw up a warning page instead of showing content. KT Corporation, the ISP in question, isn’t one of those organizations.

    They can go create a CA if they want, but it doesn’t do them any good unless it’s trusted by Firefox (or whatever browser people use, but I’m using Firefox, and I expect that basically the same CAs will be trusted by any browser, so…)

    • LainTrain@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      5 months ago

      Thanks for the explainer, but that’s not what I meant.

      For example: If I, an ISP in Beijing went to BEIJING CERTIFICATE AUTHORITY Co., Ltd. which is on the list, and had my cert issued by them for foobar.com that listed them as the root trust, wouldn’t that work? Because the service operating there currently is illegal and I need to take it down, i don’t see how or why they could refuse. If they can’t do this for ISPs, then certainly law enforcement should be able to force them to comply, I would assume.

      If I then went to abuse that cert and spread malware on my fake cloned site, then what are the affected users going to do, call the cops and tell them the illegal seedbox is down?

      This is the only way I can see governments being able to display blocked website notices, takedown notices and other MITM insertions demonstrably happening in all sorts of countries without triggering a “back to safety” warning in most browsers.

      This has to be possible, because otherwise the observable results don’t make any sense.

      I’m not necessarily saying they did the attack this way instead of just simply spreading malicious torrents which is far easier, but I don’t see why they wouldn’t be able to do this.

      • Zeoic@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 months ago

        Well for one, ISPs are not the government, and two, if any CA was caught doing this, browsers like firefox would drop them. Hopefully google would too, but who knows. Thats an aweful lot of risk on their part.

        • LainTrain@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          ISPs are not the government - yes, so they have to actually follow laws. And CAs caught doing what exactly, complying with the regulations of their country?

          • Zeoic@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            5 months ago

            Exactly, and with ISPs not being the government, they can not force CAs to do anything. And yes, if a CA complys with an insane law that allows anyone to skirt around security and privacy (their ENTIRE purpose), they will lose the faith of the public, and people will drop them. Whether it was legal or not doesn’t matter much for public sentiment.

            • LainTrain@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              4 months ago

              What? That’s absurd. There is no ISP that can simply not comply with the law, it doesn’t matter about any faith or public because all other options have to comply with the same law so people do not have any options. This is just true in every country.

              • Zeoic@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                4 months ago

                Thats hilarious 😂 I can name over half a dozen of them that do it on a regular basis.

                  • Zeoic@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    4 months ago

                    In canada, Shaw is one that glaringly and repeatedly violates Canadian Personal Privacy laws, in fact, nearly every ISP does so with only a few exceptions. Nothing usually happens to them, and if it does its just a small slap on the wrist. Its cost of doing business to them.

                    In canada at the very least, an order like that from the government to a CA wouldn’t even be lawful. Just have to hope the CA has decent lawyers…