← Back to context

Comment by codedokode

3 years ago

There are approximately 10 Tier-1 ISPs through which majority of Internet traffic passes, and unless I misunderstood something, they can issue valid certificates for almost any domain. To me it looks like "completely compromised".

Every CA can issue valid certificates for every domain? And it always has been that way.

  • CA has a risk to get their root cert removed from browsers; ISP doesn't risk anything especially when asked by the govt.

    • They risk having their peerings cancelled. Also it might be a crime in some countries.