On Mon, May 20, 2019 at 8:53 AM Danishka Navin <danishka(a)gmail.com> wrote:
Seems government is working with Chinese tech people to run mass
online surveillance system.
http://www.themorning.lk/china-styled-mass-online-surveillance/
But I am not clear how Root CA can use to SSL MITM attack instead of user cert.
If you trust a root CA for signing websites, then they can sign a new
certificate for
google.com, then modify DNS to send you to a
non-Google server presenting their certificate, signed by the corrupt
CA. They'd decrypt all of your traffic, read it, re-encrypt it with
the real
google.com cert and pass it along. You would still see the
website you expect to, but in the middle all of your traffic is
exposed to the man-in-the-middle server.