• Arthur BesseA
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    1 year ago

    Currently browser vendors are able to make their own decisions about which CAs to trust, and how to validate certificates. Most browsers trust a lot of nation states’ CAs, but they (the browser vendors) are currently free to unilaterally stop trusting them when they learn of abuses.

    That’s like saying wiretaps are an attack on the telco, not the phone calls being listened in on.

    Often it is both. Remember MUSCULAR?