• Varcour@lemm.ee
    link
    fedilink
    English
    arrow-up
    10
    ·
    edit-2
    1 year ago

    Mandating trusted CAs opens the door to fucking with the communication in progress. Ie undermining TLS whose job it is to protect that communication. Spinning this as an attack on the companies making the browser is a bit too creative for me. That’s like saying wiretaps are an attack on the telco, not the phone calls being listened in on.

    • Arthur BesseA
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      1 year ago

      Currently browser vendors are able to make their own decisions about which CAs to trust, and how to validate certificates. Most browsers trust a lot of nation states’ CAs, but they (the browser vendors) are currently free to unilaterally stop trusting them when they learn of abuses.

      That’s like saying wiretaps are an attack on the telco, not the phone calls being listened in on.

      Often it is both. Remember MUSCULAR?