• LainTrain@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    4 months ago

    Thanks for the explainer, but that’s not what I meant.

    For example: If I, an ISP in Beijing went to BEIJING CERTIFICATE AUTHORITY Co., Ltd. which is on the list, and had my cert issued by them for foobar.com that listed them as the root trust, wouldn’t that work? Because the service operating there currently is illegal and I need to take it down, i don’t see how or why they could refuse. If they can’t do this for ISPs, then certainly law enforcement should be able to force them to comply, I would assume.

    If I then went to abuse that cert and spread malware on my fake cloned site, then what are the affected users going to do, call the cops and tell them the illegal seedbox is down?

    This is the only way I can see governments being able to display blocked website notices, takedown notices and other MITM insertions demonstrably happening in all sorts of countries without triggering a “back to safety” warning in most browsers.

    This has to be possible, because otherwise the observable results don’t make any sense.

    I’m not necessarily saying they did the attack this way instead of just simply spreading malicious torrents which is far easier, but I don’t see why they wouldn’t be able to do this.

    • Zeoic@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      Well for one, ISPs are not the government, and two, if any CA was caught doing this, browsers like firefox would drop them. Hopefully google would too, but who knows. Thats an aweful lot of risk on their part.

      • LainTrain@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        ISPs are not the government - yes, so they have to actually follow laws. And CAs caught doing what exactly, complying with the regulations of their country?