this post was submitted on 17 Jan 2025
709 points (98.1% liked)
Technology
60631 readers
3729 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Maybe for some rando site, Google and any half competent site has HSTS enabled, meaning a browser won't even try to connect with insecure HTTP, nor allow user to bypass the security error, as long as the HSTS header is remembered by the browser (the site was visited recently, set to 1 year for google).
In addition, google will also be on HSTS preload lists, so it won't work even if you never visited the site.
That makes me realize, what kind of country doesn't cobtrol it's dns space's encryption certificates. That's a major oversight.
What? What do you mean "DNS space"? Classic DNS does not have any security, no encryption and no signatures.
DNSSEC, which adds signatures, is based on TLDs, not any geography or country. And it is not yet enabled for most domains, though I guess it would be for google. But obviously EU does not control .com.
And if you mean TLS certificates, those are a bit complicated and I already explained why forging those would be problematic and not work on Chrome, though it could be done.
Yes I mean tls certs as those control what dns records are considered valid. The Eu should control which tls are considered valid within its territory and that should be considetedpart of their security apparatus. It's crazy irresponsible to have left that up to unaccountable private foreign entities. This is what would make it difficult to control their own independant version of the dns namespace.
No. At the end of the day, I control which certificates I consider valid. Browsers just choose the defaults. There is no way I quietly let some government usurp that power, considering how easy to abuse it is.
No they don't. That is not what TLS really does. But I guess close enough.
Ok but my grandma can't
Even more reason to have relatively neutral organizations transparently curate the list of trusted CAs. While I am sure governments also closely monitor the process and would step in if they deemed it a threat.
Google is a threat. They should know they can be subverted if they continue in their ways with the questionably ethical human experimentation (for instance, undisclosed A/B testing including full context)
What does that have to do with TLS?
One of the reasons to create a domestic redirect of google.com
So we come full circle. The government having the ability to impersonate a site is exactly what I believe must not happen.
If the EU wants to create search.eu or any other search site, more power to them. I certainly wouldn't use it, but hey, if you want to trust them, you can.
If they want to block google search... Eeeeh... I guess that is fine?
But they shouldn't be able to create a fake certificate for google.com or any site for that matter, not only allowing them to impersonate the site, but also intercept encrypted traffic between users and that site.
So no. Governments should not control the TLS infrastructure.
TLS certificate infrastructure is a major national security concern. Sure, for religious reasons it can be controlled by a private entity but the governement is certaily already pullibg all the strings there. The problem in the EU is this control is in America now. So they need to wake up and have their own. Then the can enforce a google ban and seamless redirect to search.eu or whatever. The important thing is to both block google while not breaking the search button on everything that foolishly hardcoded google.com in the code.
You obviously have no idea what you are talking about. America does not have any more or less of an ability to forge certificates compared to Europe.
Not wanting to live in a surveillance state is not religious, it's common fucking sense.
There is 0% possibility the US gov cannot publish a certificate in all major browser that could usurp any dns from a registrar in a country under US dominance.
Just because they haven't used that card uet doesn't mean they can't. The clearnet is already a surveillance cesspit. There is no escaping state forces anywhere on it.
It's just the europeans being complacent about leaving this capability to the americans. For now they depend un US cyber command for it, and they won't do it to google for the sole benefit of europeans.
There is 0% possibility the US gov could do it covertly.
Sure, they could force it overtly but the rest of the world would have forks of Browsers like 15 minutes after it went through.
Besides, there is no need to go after the browsers. If you want a fake cert for a few days, EU has trusted certificate authorities just like the US that can issue a cert for any website (CAs are usually not restricted to specific TLDs). The CA would just get removed from browsers within days, same as browsers being replaced.
PS: Btw, iTrusChina is also a trusted CA. If the US is not concerned about their main adversary, China, forging certificates, why should EU be worried about an ally doing so?