You are not logged in. Your edit will be placed in a queue until it is peer reviewed.
We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.
Required fields*
- 3Wouldn't they just force the operator of the website to hand over their own certificate, which would make the whole thing completely transparent. If the NSA has to create new certificates for every website, then tracking certificate fingerprints will reveal the eavesdropping. For example, if my company's SSL key fingerprint differs between when I access the website at work and when I access it at home, then I'll know the certificate was compromised. Likewise, if they are only tapping my home internet connection, I can look for fingerprint changes that differ between home and another network.Johnny– Johnny2013-10-22 23:16:30 +00:00Commented Oct 22, 2013 at 23:16
- 1@Johnny: that would work somewhat, but user laziness to check cert signatures for every secure site they visit would happen most often. Also, some HTTPS sites change certs on a schedule (say every 6 months), which makes it hard to tell if a cert signature change is indeed valid.Nasrus– Nasrus2013-10-23 01:01:02 +00:00Commented Oct 23, 2013 at 1:01
- 7@Johnny Also a large chunk of the internet has been using the Root CA transparent interchangeability bug as a feature. Navigating the modern internet with tools like Certificate Patrol is a nightmare of "legitimate" swaps and switches that a spy agency switch could hide within, like a needle in a haystack. I gave up on using Cert Patorl for that reason. The underlying v3 X.509 standard is broken.LateralFractal– LateralFractal2013-10-23 01:27:19 +00:00Commented Oct 23, 2013 at 1:27
- 1@suriv It's not a dubious assertion, it's fact. Check out National Security Letters or the Foreign Intelligence Surveillance Act.NDF1– NDF12015-10-17 02:02:27 +00:00Commented Oct 17, 2015 at 2:02
- 2Do some research on your own. See also Key disclosure laws.They can compel a company or individual to hand over an SSL key via court order. FISA deals with secret court orders so if it's related to national security it won't ever see the light of day. If it's in the interest of national security to force a CA to hand over their root signing certificate they'll do it. Of course American CAs are all vulnerable to this.NDF1– NDF12015-10-17 04:01:12 +00:00Commented Oct 17, 2015 at 4:01
| Show 1 more comment
How to Edit
- Correct minor typos or mistakes
- Clarify meaning without changing it
- Add related resources or links
- Always respect the author’s intent
- Don’t use edits to reply to the author
How to Format
- create code fences with backticks ` or tildes ~ ```
like so
``` - add language identifier to highlight code ```python
def function(foo):
print(foo)
``` - put returns between paragraphs
- for linebreak add 2 spaces at end
- _italic_ or **bold**
- quote by placing > at start of line
- to make links (use https whenever possible) <https://example.com>[example](https://example.com)<a href="https://example.com">example</a>
How to Tag
A tag is a keyword or label that categorizes your question with other, similar questions. Choose one or more (up to 5) tags that will help answerers to find and interpret your question.
- complete the sentence: my question is about...
- use tags that describe things or concepts that are essential, not incidental to your question
- favor using existing popular tags
- read the descriptions that appear below the tag
If your question is primarily about a topic for which you can't find a tag:
- combine multiple words into single-words with hyphens (e.g. web-application), up to a maximum of 35 characters
- creating new tags is a privilege; if you can't yet create a tag you need, then post this question without it, then ask the community to create it for you