Why Does Apple Include Government Certificate Authorities on the Mac?

February 23rd, 2015

Via: Zit Seng’s Blog:

The Certificate Authorities are usually trustworthy. Usually. Except, when you look into the list Certificate Authorities trusted by the Mac. There are the usual big name Certificate Authorities like Verisign, GeoTrust, Symantec and Thawte. But how about these ones:

Subject: C=US, O=U.S. Government, OU=FPKI, CN=Federal Common Policy CA
Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 2
Subject: C=JP, O=Japanese Government, OU=ApplicationCA
Subject: C=CN, O=China Internet Network Information Center, CN=China Internet Network Information Center EV Certificates Root

But governments are the good people right? Erm, I don’t know. There are people who don’t trust their own government. For example, U.S. citizens may be concerned about their NSA (or FBI) spying activities. They are afraid about the NSA being able to break encryption codes.

Well, it turns out that NSA’s job is a lot easier. There are no codes to break. They just intercept your communication, carry out a man-in-the-middle attack, and what else do they need? You think your HTTPS connection is securely encrypted, but wait, couldn’t the U.S. government generate a brand new fake certificate, give it to the NSA, and then serve that to you? Your web browser won’t raise any alarm bells. The SSL certificate is valid, and it is signed by a Certificate Authority that is trusted by your computer.

So, just to get this straight. Not only does the U.S. government have the privilege of intercepting any of your HTTPS connections and present valid, trusted, SSL certificates to you, the Japanese government and the Chinese government have the same privileges.

Posted in Covert Operations, Surveillance, Technology | Top Of Page

Leave a Reply

You must be logged in to post a comment.