Blocking HTTPS would be frighteningly hilarious. My employer is one of thousands of websites that utilizes HSTS, which tells web browsers to use HTTPS. Our implementation of HSTS, like lots of banks etc. is also listed with HSTSpreload, which means browsers like chrome will only ever use HTTPS with our site.
I seriously doubt Chrome or Firefox would ever be coerced into trusting a cert like that. If they did then you would see a very rapid shift away from those browsers to one or more of the open source alternatives.
And any CA that issued such a cert that allowed for wholesale MITM access like that would be blacklisted by all the browsers very quickly as well. That would put the CA out of business very quickly.
I think you might not be aware of it but big institutions like governments and such can basically already circumvent HTTPS encryption by supplying fake root certificates and forcing the ISP to redirect traffic through their own servers.
That is why End-to-End encryption is such a big deal. Because it cannot be circumvented by the government alone. If done right (proper key exchange), it cannot be broken by anyone but the legitimate recipients. The way WhatsApp does it today, Meta could technically break it too, though i’m not sure whether they do.
That’s not necessarily very easy. These certs would have to show up in public certificate transparancy logs for most browsers to accept them. If this happens on a government scale it would surely get noticed, though the question remains what you’re left to do if the government forces it anyways…
Ok how do they plan to enforce that?
By banning HTTPS at the ISP level?
Edit: and then how do they enforce GPDR? Because you better believe everyone and their mother is going to snoop on every communication made.
By forcing Whatsapp Signal etc to implement backdoors
Signal wouldn’t, or if it did, it would be labeled as such as an insecure fork for EU conpliance only and make that fork stale immediately.
Blocking HTTPS would be frighteningly hilarious. My employer is one of thousands of websites that utilizes HSTS, which tells web browsers to use HTTPS. Our implementation of HSTS, like lots of banks etc. is also listed with HSTSpreload, which means browsers like chrome will only ever use HTTPS with our site.
What if they just do MITM with a Trusted root? Does HSTS provide a method to do cert pinning?
HSTS just enforces HTTPS over HTTP.
I seriously doubt Chrome or Firefox would ever be coerced into trusting a cert like that. If they did then you would see a very rapid shift away from those browsers to one or more of the open source alternatives.
And any CA that issued such a cert that allowed for wholesale MITM access like that would be blacklisted by all the browsers very quickly as well. That would put the CA out of business very quickly.
Don’t need to ban encryption, just control top level certificate authorities and have access to private keys.
I’d like to see them try to get mine lol.
And any CA doing so would lose their certificate authority status pretty damn quickly.
I think you might not be aware of it but big institutions like governments and such can basically already circumvent HTTPS encryption by supplying fake root certificates and forcing the ISP to redirect traffic through their own servers.
That is why End-to-End encryption is such a big deal. Because it cannot be circumvented by the government alone. If done right (proper key exchange), it cannot be broken by anyone but the legitimate recipients. The way WhatsApp does it today, Meta could technically break it too, though i’m not sure whether they do.
That’s not necessarily very easy. These certs would have to show up in public certificate transparancy logs for most browsers to accept them. If this happens on a government scale it would surely get noticed, though the question remains what you’re left to do if the government forces it anyways…
See https://en.m.wikipedia.org/wiki/Certificate_Transparency section “Mandatory certificate transparency”
admittedly, but i still assume that the CIA could do it if it tried.
edit: thanks for the link though, this seems very interesting :D