I'm a bit confused by the BGP hijacking note. Can someone more knowledgeable chime in? I would think that the cert is enough to snoop on your own citizens by mitm-ing the (anycast?) 1.1.1.1 traffic if this would be a gov op. Would they need to hijack BGP for traffic they control? (i.e. from their own country)
burnt-resistor · 1d ago
What they're saying is that is that if {{malicious user}} receives an ip cert from {{malicious-enabling root CA}} trusted by {{unwise OS/browser vendor}}, then infrastructure-{aided,involved} attacks become easier.
The intractable and difficult root (pun unintended) problem is OS/browsers/CA root cert list providers must delegate trust carefully to legit CAs while continually auditing they're not issuing garbage certs to entities that can't prove they own the subject(s) they're covering.
CA = Certifying Authority is the issuer of certs that make https:// work, but isn't limited to uses of just the web. S/MIME email, some software signatures, and more.
The intractable and difficult root (pun unintended) problem is OS/browsers/CA root cert list providers must delegate trust carefully to legit CAs while continually auditing they're not issuing garbage certs to entities that can't prove they own the subject(s) they're covering.
CA = Certifying Authority is the issuer of certs that make https:// work, but isn't limited to uses of just the web. S/MIME email, some software signatures, and more.