Do you honestly think that could happen? How? Who would co-operate? Which OS or browser vendor would knowingly distribute such a certificate? Not even Microsoft or Apple would co-operate, let alone Mozilla or the Linux distros...
And it's not as if they can do it secretly. If they suddenly started to MITM all TLS traffic in the country by replacing the certs with certs signed by the national root, it would get noticed within minutes, if not seconds. And God only knows how much stuff it would break. And on top of that, they don't even have the capability...
There is 0% chance they would attempt such a thing. And 100% chance that such a thing would fail immediately and fail badly. I don't know why people think there is even a slight risk of them trying such a thing. There isn't.
Who can resist a sufficiently determined state that still enjoys popular support? All he has to do is engineer the support for "security" over the long term.
When resistance is so damn easy, and capitulation so self-destructive, who would co-operate? You could not force a Linux distro or Mozilla to distribute that cert. It could not be done.
[edit] https works based on trust. We trust the browsers and OS vendors to at least try to prevent the CAs from abusing their power. As soon as it becomes obvious that the OS and browser vendors are now letting state actors compromise all traffic, then https is dead in the water and something else will come along. Nobody is going to risk that happening. It would cost too many rich people too much money.
That's very well thought-out. The tinfoiler in me wonders if that's true, though, and if there aren't subtler avenues for circumvention that still target this trust-based system, especially via social engineering.
I had little interest in security before Snowden, so admittedly, I need to lurk moar and keep learning. Thanks for offering another argument I can try to fit against new facts I encounter and helping me continue that process.
S. Korea has a block cipher that no other country uses. Almost all S. Korean internet users install a plugin which allows them to browse the S. Korean internet since all S. Korean internet businesses must use that cipher. The UK could require that all companies that wish to do business in the UK must use the UK's CA. This would incentivize users to install the CA and incentivize vendors to pre-install it.
And S. Korea is the only Korean speak country on the internet. The UK is not the only English speak country. Many people will simply ignore UK sites and just use US ones.
And it's not as if they can do it secretly. If they suddenly started to MITM all TLS traffic in the country by replacing the certs with certs signed by the national root, it would get noticed within minutes, if not seconds. And God only knows how much stuff it would break. And on top of that, they don't even have the capability...
There is 0% chance they would attempt such a thing. And 100% chance that such a thing would fail immediately and fail badly. I don't know why people think there is even a slight risk of them trying such a thing. There isn't.