Hacker News

s_Hogg said 6 months ago:

So man in the middle in the developing world is bad, but pervasive tracking in the developed world is absolutely fine. Got it.

Edit for replies to this message: I accept the distinction being made, but that doesn't mean I'm more happy about one thing than the other. Both suck.

floatboth said 6 months ago:

MitM is a fundamental breach of trust between you and the websites you visit.

The websites themselves tracking you… well, whatever, visit better websites, block third-party trackers (Firefox actually does that out of the box), use Tor Browser.

(Also, the tracking is not exclusive to the "developed world" lol)

jancsika said 6 months ago:

A thing affects a tiny percentage of the world population. An ethical stance is made.

A thing affects enormous percentage of world population. A shrug is performed.

thewhitetulip said 6 months ago:

There is a big difference between MiTM and tracking.

When google tracks me when I'm in India it is not for finding out if I am against my PM and a threat to the party and if they want to silence me

asadjb said 6 months ago:

Man-in-the-middle shows someone my bank password. Tracking only shows them who I am and what sites I visit (simplifying explanation I know).

I'd much rather be tracked online and have my bank details safe than the other way around.

Arbalest said 6 months ago:

That's not necessarily true. If it is on page Javascript tracking, the script could well snoop the password before it is even in transit. This is perhaps still better than a MitM as at least the bank has had some chance to vet the vendor of the tracking script. Still, if the tracking script vendor is compromised, we're back to square one.

gorty said 6 months ago:

> So man in the middle in the developing world is bad, but pervasive tracking in the developed world is absolutely fine.

Who are you quoting?

codedokode said 6 months ago:

it is important that Kazakhstan's government lied about the purpose of certificate: it said it was necessary to access government sites and for connection security. But actually connection security was compromised.

Browsers and OS vendors must provide clear explanations, when adding a third-party certificate. For example, Android shows a notification that traffic can be intercepted and allows to disable third-party root certificates.

said 6 months ago:
slezyr said 6 months ago:

Why no one does same against all other countries? Why not make browser, which can by pass all blocks and etc? And why it's not default already?

All these news about Kazakhstan just feels like a farce. Go ahead and do same against China.

dchest said 6 months ago:

Because no other country yet required their citizens to install root certificate, which the browsers can block.

(Speaking of China, Google did remove Chinese CA after it was used for MiTM https://security.googleblog.com/2015/03/maintaining-digital-...)

MaxBarraclough said 6 months ago:

In the interests of precision: nothing there says it was the doing of the Chinese state. A private company, MCS Holdings, was at fault there.

codedokode said 6 months ago:

It doesn't matter who ordered to issue a certificate, a CA must not issue fake certificates anyway and discovery of such a certificate is a proof of violation of rules.

tialaramex said 6 months ago:

Where did you get the idea that this can "pass all blocks" ? You can't _pass_ blocks, a Man in the Middle isn't obliged to pass anything from you to the other party. You can only decide you'd rather the connection fails than have it be intercepted.

It turns out that humans are strongly disinclined to accept failure. Once they have set upon a course of action they'll see it through despite almost any cost, they are focused on achieving their goal. This is related to the sunk cost fallacy. For interception MITM attacks this means the attack will very likely work _unless_ we just treat it as a failed connection.

If you interrupt a human trying to do something with "The government of Kazakhstan wants to intercept your connection and arbitrarily change everything. OK?" the human doesn't even read as far as "Kazakhstan" before they push OK. "OK already computer, stop bothering me". So there's no point offering failure as an option, users will pick "OK" anyway.

Instead the correct solution is for the browser to just treat interception as failure as a matter of policy. Users aren't surprised if you do this, now the browser just can't connect when there's a problem, which is already how they understood things. And because they can't just press "OK" they are freed from their plan, it has failed, and now they can re-evaluate.

keiferski said 6 months ago:

Pretty simple answer really: money. It’s easy for browsers to get public support and brownie points “standing up to censorship” against a small country like Kazakhstan where they have almost nothing to lose. The browsers look like heroes, there are no real financial losses, and everyone is happy.

adventured said 6 months ago:

Kazakhstan has 3/4 the population of Australia and would be the 10th largest country in Europe by population. It's certainly not that small. Australia, for one example, routinely gets lambasted for its poor privacy and encryption policies.

It also has a GDP per capita on par with Turkey and China, just below Russia. So it's simultaneously not about conveniently picking on a super impoverished nation either.

bonzini said 6 months ago:

China's firewall does not do man-in-the-middle in the same way as Kazakhstan. It may well be that it does surveillance by virtue of knowing the private part of some certificates (including RapidVPN), but that is a different thing.

megous said 6 months ago:

Because it's not possible in general.

Bypassing blocking is dependent on how the blocking is being done.

Anyway, browsers are trying. DoH for example, will work around DNS based blocking (as long as CAs can be trusted).