• 0 Posts
  • 2 Comments
Joined 1 year ago
cake
Cake day: July 6th, 2023

help-circle
  • The only mitm that can be done is at the server itself or in a website pretending to be the requested server. But for this to work, you need to have the private and public keys of the server you want to act like.

    Maybe I misunderstand what you’re saying, but since the wide majority of EU citizens use their ISP’s DNS, it’s trivial for them to mandate a domain redirection to another server which would act as a proxy of the original (and thus only need the original server’s public key).

    So far, the only protection we have against that are:

    1. Changing DNS (WAY too complicated for the average user, also brings the DNS’ own contry’s censorship)
    2. The fact that they wouldn’t have a valid certificate for it because any sensible CA would see it for what it is: a MITM.

    That’s why, to my understanding, this is such a big deal. At any point, ANY EU gov (and I want to emphasis that part because ot’s important in the context of tjhs law) can request a change of DNS from their ISP’s DNS (many already do right now) and emit a fully trusted certificate for the domain they want to MITM.