No, TLS is not vulnerable to a MITM unless a) your client trusts the certificates issued by the attacker, or b) the attacker successfully forges the certificate of the website you are trying to visit.
That is, assuming you don't click away your browser's security warning.
> TLS is not vulnerable to a MITM unless a) your client trusts the certificates issued by the attacker,
Or in other words it is vulnerable.
China can (and probably does) issue a certificate that all Chinese browsers must install, they can then do MITM https using their certificate to sign the new versions.
Companies do this routinely BTW. Since it's their equipment, it's considered just fine. (But be aware of it if you are using a company computer.)
"On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC."
There is a concern dating back many years that a government will mandate that UAs trust a particular government-controlled CA (that eventually, but maybe not at first, openly performs MITMs). This is one reason that browsers really want to keep control of their root programs and not be mandated by governments to include any particular trusted roots -- including to maintain a remedy against roots that do appear to deliberately facilitate MITMs.
Although there have been lots of concerns about CNNIC, I don't believe that the Chinese government currently either (1) routinely uses CNNIC to perform MITMs for censorship or mass surveillance purposes, or (2) purports to require UAs to trust CNNIC or another Chinese root in order to be used by Chinese users. I'm happy to be corrected if someone knows otherwise.
They wouldn't "routinely" abuse their root to monitor large populations. That would be too obvious and result in near-immediate loss of their precious root.
What's more dangerous, and much more likely, is that they might use forged certificates against specific individuals for a short period of time, for example, to intercept login credentials. The attack will go unnoticed as long as they also block the corresponding HPKP reporting URL (if the targeted site uses HPKP at all).
revoking the root outside china will have no bearing within. All devices sold and used in china could be forced to include that root. There is not a lot a user could do , especially in mobile if you have locked phone and only access to the official app store
There's a fine line between cartoon-villain evil, exemplified by people like Kim Jong Un who just doesn't seem to give a fuck, and just-enough-to-achieve-your-objectives-but-not-enough-to-make-too-many-people-notice evil, which is what China is aiming at.
Lots of people travel in and out of China with all sorts of computing devices. China does care about the reputation of their root and of their highly profitable electronic exports.
It isn't but if you live in China and want to use the internet, you'll likely be forced to use a proxy that MITMs and serves its own certificate....My point is that TLS is not a solution to prevent government interference when the user has to rely on the government infrastructure for access.
Clouds of gas and dust don't emit light, yet we know they exist and can estimate their mass. Couldn't we apply the same methods to Dyson spheres if this was the case?
From their conclusions, I wonder if there is some kind of "use-it-or-lose-it" effect going on in the sample of older physicians, which does not affect the sample of younger physicians as severely due to their age. That is, the high volume physicians are kept sharp by the high patient workload regardless of age.
Authors' conclusions reproduced below:
"Within the same hospital, patients treated by older physicians had higher mortality than patients cared for by younger physicians, except those physicians treating high volumes of patients."
This isn't the first time we've heard first-hand accounts of massive companies treating workers like slaves. Amazon is already notorious for the ways it treats its warehouse workers. Once again, upward concentration of wealth in our country has created pressure on the people at the bottom to produce more, more, more. If you don't see the parallels to the time period leading up to the massive workers' rights reforms of the Progressive era - you aren't looking very hard. We seem to have have already forgotten the lessons we learned just a century or so ago.
There's a very big difference between a cargo pilot and an Amazon warehouse worker. Just because both feel treated unfairly, the warehouse worker will be much worse off. Cargo pilots dream of salaries that were usual in the past, warehouse workers just want to earn enough to have an acceptable lifestyle.
That is, assuming you don't click away your browser's security warning.
https://security.stackexchange.com/questions/8145/does-https...