this post was submitted on 11 Jan 2024
44 points (100.0% liked)
Technology
59669 readers
2727 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Not directly no, but it could be combined with other attacks to potentially decrypt your data. Maybe.
The root certificates are used for the primary proof that the server you're talking to is the server it claims to be. It's not the only protection so just this alone wouldn't generally be enough to decrypt anything. Also if your traffic does go to the correct server... then having the root certificate doesn't allow them to decrypt it.
It's a complex system and difficult to explain all of it, you really just need to learn how every step of the process works and also how each one can be compromised, to fully understand any of this.
I setup our transparent proxy so we can do interception and IPS. I'm interested/concerned about the ability to use an intermediate ca cert downstream inline somewhere (like a teoco) and if regular consumer desktops would alert on that since their browser would trust the root. We GPO place our intermediate cert in the Windows trusted intermediates. I can't remember if browsing breaks without doing that.
Not really a concern if there's other certs/TLS required.in addition to the QWACs cert thought.
I got the impression the easier threat/worry was compromise of a nation CA and issuing illicit duplicate site certs, to then spoof a bank site. Still requires traffic redirection with DNS or routing though I think.