Think about it like this: in 2015, we all lost our proverbial minds at the idea of the Kazakhstan government mandating the installation of root certificates on their citizens' devices. We were outraged at the premise of a government mandating the implementation of a model that could, at their bequest, allow them to intercept traffic without any transparency or accountability. The EFF said the following at the time:
If the country's ruling regime were to successfully implement this plan, it would be able to snoop on, impersonate, and alter the online communications of anyone within their borders—effectively performing a Man in the Middle attack on its entire population.
Now watch the video, listen to Scott and ask yourself how different the technical capacity he discusses is from the Kazakhstan situation. Not from a policy perspective or the intentions of the respective government bodies, but rather it terms of the capabilities and lack of transparency it results in. It's nuts. But hey, it's a good time to be in this industry!
References
- Sponsored by: Identity theft isn’t cheap. Secure your family with Aura the #1 rated proactive protection that helps keep you safe online. Get started.
- If it looks like a duck, swims like a duck, and QWACs like a duck, then it's probably an EV Certificate (Scott's original Jan 2022 post on the emergence of QWACs)
- What the QWAC?! (Scott's post from this month that expands on eIDAS, root certificates and other - to use the technical term - batshit crazy ideas)
- Dead we learn nothing from the death of EV certificates?! (I posted that more than 4 years ago now after the EV indicator was removed from browser omnibars, effectively making them invisible to all but the most tech-savvy people)