1. China Uses Unencrypted Websites to Hijack Browsers in GitHub Attack
2. Ellen Pao’s Statement On Losing The Kleiner Perkins Case: “The Battle Was Worth It”
3. How C-51 undermines privacy (Lisa M. Austin, Benjamin J. Goold, Avner Levin and Andrea Slane)
4. Facebook tracks logged-out users in ‘violation’ of EU law, study says
5. Bell censorship: the status quo can’t endure
One response to “News of the Week Top 5; April 1, 2015”
HTTPS (HTTP using SSL/TLS) relies on the end user’s computer trusting only valid certification authorities (CAs). I won’t go into the technical details here. However, suffice it to say that a computer configured to trust a CA controlled by a malicious player will believe SSL/TLS certificates signed by that CA. That is, if my computer trusts Mallory’s EvilCorp CA, then Mallory can make me believe any old website belongs to, e.g., ScotiaBank, RBC, CBC, etc. — provided that Mallory can intercept the communications between me and, say, the valid and real ScotiaBank website.
So, given (1) a Great Firewall that routes all traffic into and out of the country; and, (2) the ability to configure computers to trust The Great Firewall CA…well, HTTPS doesn’t protected against these MitM attacks very well at all in these circumstances.
To protect against this sort of attack, you really need to Onion Route (e.g., Tor) to an endpoint beyond the Great Firewall before making the final hop to the legitimate site.