Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The Chinese government has the root certificates for every Chinese certificate authority. It can MITM traffic for any citizen, even over HTTPS.


What makes this attack powerful is not that sites within China can be shut down (the government can already do that) but that sites outside of China can be tricked into DDOSing other sites outside of China. Which is why this attack only works over HTTP.


Right, but the traffic is coming from users in China is past the point that HTTPS would help. The requests are already in flight from people in China who've been served malicious JavaScript.


What I mean is that China can just force a CA to give the CPC its root certificate and then just intercept and edit any HTTPS responses to Chinese citizens and resign them as secure.


It would work just as well over HTTPS, they would just have to make a different phone call (to the site hosting the script rather than to the GFW).




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: