4 comments

[ 0.25 ms ] story [ 18.6 ms ] thread
What's your threat model? Without loss of generality, China has a) gotten secret keys to a large pool of targets, b) those targets re-key their certs, c) China re-uses old keys to MITM those targets and nobody notices?

If so, great news! We don't have to worry about it because China can also just ask their friendly government-owned CA to generate valid certs for any MITM targets who don't implement certificate pinning in the browser also produced by their company.

I'm asking HN so we can have a discussion about possible threat scenarios.
>Should we assume any competent government like China (through it's Great Firewall) has gained access to a large pool of secret keys used on the internet? The potential that they have known about the exploit for 2 years it is without doubt that they could have captured any secret key they wanted.

There are so many things wrong with these two sentences I can't decide where to start.

Maybe a good launching point is the fact that it's never outlined why China or literally anybody else has any "secret keys". In the next sentence there's a reference to "the exploit," but obviously we could be talking about any exploit. Are we talking about any exploit? Who decides what exploit we're discussing? Do I get to pick my favorite?

>competent government like China

Why a government? Why not anybody else?

>(through it's Great Firewall)

In English, this bit expands to "(through it is Great Firewall)" or possibly "(through it has Great Firewall)", which are not real sentence fragments that mean anything. If we assume, for the sake of brevity, that our author meant to use "its" instead, the sentence is now grammatically stable but still doesn't mean anything to the reader. Why is the "Great Firewall" relevant?

Surely the US government is also a large threat to internet security? Not just China? :P