As title. Italy is decided to pass a law that basically creates a chinese-type firewall in the country. The question is simple: even if I’m not doing anything illegal, my VPN provider will have to know what am I doing to report it in case it’s illegal, or face jail.
So how could my traffic remain private in this scenario?
Can a VPN provider with no logs policy be held accountable of anything? Can it actually know what I’m doing?
So you are basically saying that root CAs are unreliable or compromised?
The great thing is, that you can decide on your own which CAs you trust. Also please proof that those are actively malicious.
And no. That is not the reason that packages are signed, i am guessing you mean packages like on linux, packages contained in the installation repository. The reason is, that you build another chain of trust. Why would i trust a CA which issues certificates for domains with code distribution. That’s not their job.
Not exactly. They are pointing out that HTTPS assumes all is well if it sees a certificate from any “trusted” certificate authority. Browsers typically trust dozens of CAs (nearly 80 for Firefox) from jurisdictions all over the world. Anyone with sufficient access to any of them can forge a certificate. That access might come from a hack, a rogue employee, government pressure, a bug, improperly handled backups, or various other means. It can happen, has happened, and will happen again.
HTTPS is kind of mostly good enough for general use, since exploits are not so common as to make it useless, but if a government sees it as an obstacle, all bets are off. It is not comparable to a trustworthy VPN hosted outside of the government’s reach.
Also, HTTPS doesn’t cover all traffic like a properly configured VPN does. Even where it is used and not compromised, it’s not difficult for a well positioned snooper (like an internet provider that has to answer to government) to follow your traffic on the net and deduce what you’re doing.