Comment by iancarroll
11 years ago
That would make dragnet surveillance easier. Just MITM everything and you'll be the Trusted Source™ for all traffic.
11 years ago
That would make dragnet surveillance easier. Just MITM everything and you'll be the Trusted Source™ for all traffic.
No, that does not make dragnet surveillance easier. Dragnet surveillance depends on not being easily detectible. However, a SSL MITM attack is easily detected, as it changes the fingerprint of the SSL-key of the site you're talking too. By recording fingerprints and comparing them over time or for different users, or directly contacting the site's operator (using a secure communication channel, e.g. meeting him in person), the existence of a MITM is easily proven.
BTW what you call "dragnet surveillance" is better described as "Pervasive Monitoring", see also RFC7258 "Pervasive Monitoring Is an Attack" [1].
[1] http://tools.ietf.org/html/rfc7258
Nobody’s suggesting that self-signed certs be treated as trusted or CA-cert equivalent, only that they not be regarded as worse than unencrypted http. In the proposals being discussed, that attack would no more of a threat than MitMs currently are against http.