Just to clarify. The padlock means "We are certain that you are connected to a site that has control over that domain name, btw the connection is encrypted". It doesn't mean "you are on a secure site". This is mentioned in the vid, I just wanted to summarize.
"We are certain that you are connected to a service that is presenting a certificate with a valid name (fqdn), and a trust chain which links to a root certificate that is trusted by your web browser" Transparent corporate web proxies don't "have control over all internet domains", yet they can mitm-intercept all the web traffic from employees using company computers because of the above.
At the same this is pretty damn sketchy, it is also super sketchy how access to backbone technology is all in the hands of American tech companies "we don't like your country, now your entire population should not have access to being able to do banking securely, hosting, being able to make money online or anything"
The tech companies increasingly own all of us. This is just the next logical step of deplatforming. Now its happening against a whole country at a time lol.
Big Tech has overplayed its hand in using its power to punish. It’s dreams of being global systems have died now. Each economic zone will create its own systems.
Help Americans retake the big tech companies that our taxes paid/stillPaying for, let's make it FOSS. Amazon, Google, Apple, Microsoft and on have defrauded the American public and acted as an abusive "arm of government" such monopolistic practices are a violation of both domestic laws and international fair trade business laws. Anyway, be sure to let randoms or your pals know that US tax payers funded big tech, and we the people want our data out of the hands of Palentir and we want to FOSS the infrastructure that our taxes paid for. Amazon can go eat a bag of rolled quarters.
As a cybersecurity major, your videos help me apply what I learn to real scenarios, and I appreciate that you explain everything in a way it's easy to understand. Thank you!
Except he's wrong and describing something that might have been possible 5 to 10 years ago. Because most correctly configured websites have CAA DNS records and HSTS.
@@KnutBluetooth Can you explain more about that? He explained a lot of what I have to read in my textbooks so I assumed it was accurate. I am only in my first semester with this major so I don't know much lol
"that's like remembering the phone number of every single one of your friends. that doesn't make sense" Damn that makes me feel old, as this is exactly what we did. It was common to have memorized two dozen or more phone numbers. Friends, family, work, etc.
@@annybodykila i know one of my oldr friends still remembers his home ph. number, his friends telephone numbers (home numbers) his mom's cell phone number from 15 years ago and a lot of other stuff LOL funny how our brain remembers the most useless things ever.
1:53 DNS servers are rarely hacked, but if they would get hacked, then the attacker could just buy a certificate for the domain, and TLS is circumvented. You only need to demonstrate that you control a certain domain to buy a certificate for it. What TLS really protects against is man in the middle attacks, when the attacker hacks your network, or you're on an insecure wifi, or your ISP/government are hacking. I used to demonstrate that with rogue wifi APs with an SSID like McDonalds or something that people's phones will automatically connect to.
I'd recommend reading Christopher Soghoian's 2011 paper "Certified Lies" [edit: BE SURE to find an uncensored copy; the appendix includes some very damning supporting material, but many _academic_ sources omit it] to put a big asterisk on TLS' protection against governments; the tldr is there are so many intermediates that are so poorly run that it's nearly inevitable that the NSA has coerced a few into giving them either illicit certificates or the keys outright
@@codegeek98 and I think that it's highly likely Let's Encrypt has also probably given them at least read-only access, given how it's such a critical piece, with nearly everyone who's not straight buying their certs, using LE
@@jan_harald But Read-Only access means nothing. These days all certificate issuance is public information anyways thanks to "certificate transparency." (Except for illicitly-issued ones, I'm sure)
@@codegeek98 Yeah, the NSA can do pretty much anything, but at least it protects against other, less powerful APTs / resourceful and sophisticated adversaries, like the government of Kazakhstan as mentioned in the video. I believe it can protect against Russia as well. Probably not China, because they control the hardware.
@@joshuavillwo it means a LOT to have read-only access to your passwords and stuff, to any private messages you send via web chat, etc etc certificate transparency tells you what CA issued what cert to who, and when, which is not what I'm talking about here
I remember hearing about this back in Iran 10 years ago. They used a Dutch certificate authority to mitm Google users. I wish we could move on to a better system than this.
@agapp11able and one year prior to that One who shall not be named made changes to the Constitution in order to protect children and Russian culture. And also to grant himself a lifetime diplomatic immunity among some other things. Back in a day I thought he simply didn't want to answer for palaces tHaT aRe PhOtOsHoPeD aNd NoT fOr HiM aNd LoOk At *YoUr* GoVeRnMeNt FiRsT! But boy did I not expect political ambitions to really hit the fan. Damn.
@agapp11able kinda, but not really. Intellectuals are pretty much on the same page most of the time, while "common" people would be surprised, how much alike they really are, if it wasn't for the language barrier. Apart from fetishizing suffering: Russian people take great pride in their ability to indure and overcome adversities and never yield or whine. Older generation, that is, I can't see this mindset being all that prevalent in the youth. If you have any other traits in mind, that are more or less unique to Russian culture, I would appreciate your insights. I think it has to do with newly (welp, 2012 sort of "new") discovered shale and slant gas deposits in Ukraine. Most of which are in Crimean exclusive economic zone and on the northwest of DNR. The peninsula itself is too expensive to hold with the Crimean channel blockage, hence the imperative to clear the dam and gain foothold by the Dnieper. The latter being the only natural border between Russia and Europe apart from Carpathian mountains, so we have the rest of the conflict: Donetsk and Lugansk won't last too long as buffer zones without it. Russian economy can't afford big competitors in Europe, hence the blitzkrieg special gamble. All or nothing. We'll never know for sure, what were the actual reasons, but at least this rationale helps me see some logic in what is happening. As horrible as it is.
In the early days of the internet we really DID have to know those long numerical IP addresses. In fact there was a booklet, sort of like a telephone directory that got updated a couple times a year with valid IP addresses and what site they would take you to.
I think the major problem with this, is the fact that the user is forced to only use government specified browsers that can use the government created certificate service.....Sounds like an absolute monopoly with absolute power over what can be seen, posted, shared, and disseminated.... Seems like a perfectly dystopian internet experience....
If Russia can use this for a man in the middle attack, then so can the old certificate organisations from the US, and are doing this. Make a video on how to prevent the USA from making a man in the middle attack.
Exactly! All "Russia could do this bad thing, Russia could do that bad thing..." blah blah blah... That only means the US could have been able to do all those bad things all along for decades.
1:23 "..it's like, imagine trying to remember the phone number for every single one of your friends. That doesn't make sense.." Holy shit do I feel old now. First day of kindergarten we memorized our own home phone numbers, and then we always memorized the home phone numbers of our closest friends and family. I still remember like twelve different numbers from my childhood, some of which are out of service today!
@@cmnidit4444 It happened simply due to the fact most people dialed numbers manually back then, so the number got cemented in your head anyway. And since calling was more prevalent, you dialed those numbers more often too.
"Imagine remembering the phone number of all your friends.. that just wouldn't make sense." This is how it was done before cell phones. I'm not even that old but I still remember phone numbers of some of my friends from elementary school.
The problem with this is that a single web site like youtube might have dozens of IP addresses, because they have load balancing servers all over the world. Maybe you remember the ip to the youtube server closest to you in seattle, but then you're going on a business trip to london and the ip you remember is now super slow. Also, remember phone books? Those enormous books with a thousand huge pages? That's basically an analogue DNS server.
@@jakob4112 I am not saying that every single number was memorized. However, all close family members, family friends, etc were memorized numbers. My parents actually taught us kids to memorize the numbers in case there was a problem because that was "normal" at that time (2000s). My friends knew those numbers as well. I do remember a little contacts book that also held the phone number for the doctor's office, dentist office, etc. If I ever forgot someone's phone number I would just ask my parents and they would recite it to me. There are movies that reference this common behavior and older people I speak to mention old numbers that they still remember which are no longer relevant to them.
It’s important to realize that trust in a practical sense just means the issuing CA’s certificate is in your host os’s trust store. For windows that’s the crypto api (CAPI) store
I take major issue with citizens being punished for the actions of their leaders. Just remember that necessity is the mother of invention. With all of these sanctions from governments and big tech, the outcome will be that the Russian people will continue to march forward. What the world is doing right now will force Russia to develop all of this tech on their own - this will likely lead to more national pride, new products and services, and will diversify Russia's exports - in short these measures will make them stronger.
Look china, the US banned them from ISS. But now china can made their own space station, meanwhile other countries still crying and depend to US for space programs
Looks like it... Russians anounced that they will beginn doing their own phones, laptops and other tech. And im sure after a few years they will manage to do it because they dont have other options. Even chinese phones are now more expensive in Russia.
Interesting, so what you're saying is that Russia is basically building it's own digital and financial infrastructure from the ground up which is more or less invalidating Western sanctions?
Exactly, quite soon it seems there will be a divided internet and financial system. One for the west and Europe and another for Russia China and Eurasia
It's all WEF/NWO agenda, y'all playing right into it. Dividing up the internet so that global communication becomes impossible. So you won't see the riots IN Australia or NewZeland or Canada or Ukraine etc etc. The same players from Downing Street are behind destroying your economies, this is by design and it doesn't take too much digging to hear this straight from their own mouths in recordings archived in places scattered throughout the interweb. Russell Brand been talking about some of the evidence coming out though, great channel for waking up normos.
I'm surprised they don't have one yet. I live in a small country in eastern europe and we have a local company which runs an internationally recognized top level root CA, like included in windows. Ofc the company has deep ties with the local secret service and military and stuff.
Watame sheep in the last vid, and now confused Fubuki... can't tell if Kenny fell through the Hololive rabbithole or if he's just spending too much time lurking on /g/ lately :p
Just saw an article about how Russia might re-open all the Mcdonalds restaurants by lifting the trademark restrictions depending on how everything goes. It's def on the table I'd say.
I feel like DigiCert & al. revoking Russian certificates in the first place was a huge,shortsighted mistake that just enabled them to do this. This outcome was inevitable, and what did it really accomplish aside from locking average people out of their online banking? Sanctioning Putin and his cronies, international transactions &c. is one thing, but denying everyday Russian people things like a secure connection to check if their paycheck has been deposited is just ridiculous and counterproductive.
Tbh, this also applies to the most of the western sanctions. For example, what does removing of apple pay and google play accomplish, aside from restricting devices that common russians did pay for? They probably just won’t trust those western companies anymore and rather buy chinese alternative or smth.
The more I learn about how much of a joke cyber security is, the more I'm coming to terms that just using cash for everything makes the most sense. I already suck at managing my personal life. Having to manage my cyber life like I need to be coding everything on Linux just seems too hectic for me. I'm better off fending off a mugger with my bare fists than I am trying to hide my tracks online for every little tiny thing when all I'm trying to do is just play some damn video games and watch videos lmao.
Creating your own CA doesn't let you spy on traffic. Encryption is still established securely based website hosted keys and certificates. Russia having their own CA only lets then sign child certificates, not decrypt traffic that was encrypted with those keys. Fundamentally, any CA provide an answer to the question "is the domain I typed into my browser the same one in actually connected to". Encryption happens between host and server, not between host and CA.
Not by itself. But the idea for the Kazakh MITM was that (1) the govt would force the ISP to reconfigure its DNS to point the real website's domain to a government server instead of the real website's server, and (2) the browser would allow this connection because the government's CA had been added to the browser's trusted CA store. The government server would then proxy the traffic to and from the real website's server. There would be encryption between the user and the govt server, and between the govt server and the real website's server, but the govt server would have access to the unencrypted traffic traveling between these encrypted connections. Though in this case, Russia may just be trying to give Russian companies a CA to use, since Western CAs are revoking all Russian company certs. Like Mental Outlaw said, we have to see which sites they use the CA for to determine what their intention is.
Yes it does, first of all your understanding of cert being "is the domain I typed into my browser the same one I'm actually connected to" is partially correct at best. The thing is that while it does verify that, it's only a small part of its actual function. When you initially connect to the website and the TLS Handshake takes place, You receive a Certificate which contains the Cryptographic Public Key(the Private Key of which is available only to the server), And now this key is used on the client side for encrypting and sending back to the server what we call a PMS(Pre Master Secret Key, it is used to calculate the keys which are used for encrypting and decrypting the traffic in a SSL/HTTPS connection) which is then decrypted by the server using the previously mentioned Private Key, and then it's used to compute the master secrete and nonces, and finally it generates a pair of encryption keys which then will be used to encrypt and decrypt the traffic. Now if you take a good look at this framework, there is a very apparent vulnerability, that is the fact that if someone on the same connection were to replace the initial SSL Certificate sent by the server with a certificate of their own, it would cause the whole connection to be vulnerable to a MITM attack as the PMS(which is used to calculate the key pair used for the encryption and decryption of the SSL traffic) will be interceptable and hence giving the attacker full access to the decrypted traffic. To counter this Trusted Certificate Signing Authorities were put in place, basically a certificate is signed by a Trusted CA Signing Authority and when the certificate is sent by the server your browser runs the sign through a list of Trusted CAs (Digicert, Globalsign, etc) and if matches any of them then the certificate itself is deemed legitimate hence allowing the TLS handshake to proceed further. And if it doesn't matches any Trusted CA then depending on the browser you either get a warning or the connection is interrupted with a error. And this is where having a Root Cert placed on the trusted certificate list of your OS/Browser comes in play, while you are true that the Cert in itself can't do much. But if someone is on the same connection as yours then they can intercept the traffic using that cert. Which is pretty easy for a country like Russia given the fact that all of the traffic goes through their own ISPs. Now finally I'll explain in brief as to how this attack works, Let's say that you are a client side browser trying to connect to Google and you have the Russian Root Cert installed on your Browser, and I'm someone with access to modification of ISP traffic. Now your browser resolves the Google Domain name and sends a connection request to the Google server's DNS address. Google responds with the certificate, that is where I come in and intercept the certificate and what I do is that I take that certificate modify it with the public key of my own Cryptographic key pair(to which I have the access to the Private key hence I can decrypt it). And now that the Trusted CA Authority sign is void, I simply sign it with the Russian Trusted CA, and send you the modified certificate with rest of the server response. Now your Browser recieves the certificate and runs it's signature through the list of Trusted CA Authorities and it matches the Russian root cert that you installed, So it trusts the connection and encrypts the PMS with the public key in the certificate (which you modified to the one that you hold the private key to) and sends it back to Google's DNS address, now what I do is that I decrypt that response and steal the PMS. And then Encrypt the decrypted PMS with the actual legitimate Public Key that Google originally sent and forward it to Google. Now that you have the PMS you can calculate the nonces and generate the key pair that will be used to encrypt and decrypt the traffic sent between the client and the Google server. Hence you will be able to decrypt, read, modify and encrypt all the traffic that flows between the Browser and Google. And all this could be easily automated, for example you could make a script that basically intercepts the credentials from the traffic and stores it in a database. And yes, you're true that encryption happens between Host and Server and not Host and CA but with the key pair stolen anyone with the access to traffic could decrypt, encrypt and modify it. While this could be avoided if you manually check the Certificate Verifying Authority to see if it's the Russian one or not. But most people who would install that cert in the first place won't really be cautious enough to check the cert every time.
@@aramfingal5180 DNS spoofing could also be done but it's easily detectable and avoidable and it's highly inefficient too . One could use their own DNS Record or Any other ones rather than using the ISPs default one, and if they come down to DNS redirecting most browsers notice it instantly and block it. Also it would be inefficient(also unnecessary) as they would need to host a proxy instance of the website their end which would require extensive resources. And it all would be unnecessary too, as they could simply use the cert to nab the PMS and use it to intercept the traffic on the fly without needing to put a proxy node in between.
@@mathmagician8191 No need to pretend to be a website or host a fake/proxy instance of it when they can just intercept the traffic and decrypt/modify it using a cert spoof attack.
It always is! I hate it . .like we can't do much to stop it or fight back. .as long as we don't have a data breach or do something dumb online. Were fine but it is scary that you could be using a website you've always used then one day it's fake. .and you wouldn't know unless you look hard . :(
Imagine you'd known how RU Internet segment works. Root certificates and authority centers exist here since 2000s - they are used for online trading, taxes, document signing (digital signatures). Surprise, its not only bears and vodka in Russia.
as a computing student your videos are amazing. as an artist, your videos are also amazing, more for the journalism. you are definitely one of the best channels on youtube, and i constantly share your videos with my classmates.
In the United States there's already a rather large MITM operation, called "Cloudflare". You get the padlock and everything, but if you actually inspect the certificate, it isn't what you thought you were going to. Cloudflare is its own CA, Certificate Authority, and consequently it affirms that its customers are legitimate so you get the "padlock" symbol. So instead of going directly to a particular server, you are going to a *proxy* which inspects your packets and then re-packages them for transport to the actual server; and THAT link can be secured by the "real" server certificate or not secure at all. When there's a malfunction in Cloudflare, customers make phone calls to banks and whatever but it isn't the bank's fault and indeed there's not really anything the bank can do about it. "Fiddler" is a nifty diagnostic program that is a MITM proxy *right on your own computer* and it requires to install the Fiddler root certificate so that your browsers think they are talking to whatever but really they are talking to Fiddler. It makes possible to diagnose problems with websites that use HTTPS.
Hey there, Russian here, the majority of PC's on which this fucking pain in the ass certificate is installed belong to schools, I know it because I study in one of them and I'm also the one who does all the computer stuff and Linux magic (in Russian school GNU Linux prevails since windows needs licensing). You get extensive instructions along side with an order that you have to install this certificate. This guide includes instructions for Linux
@@frankiefrom80s80 ты когда в школе учился, динозавр? Русские люди не будут платить за Винду, а не лицензионную ос в школах устанавливать нельзя. Я не знаю насчёт Москвы, но Москва это не Россия, в моем городе во всех не платных школах Линукс, ещё встречал макось с Виндой через буткэмп, но они в меньшинстве Есть ноуты, с которыми активированная винда идёт вместе, но они для ЕГЭ/ОГЭ в школе лежат, ну или для учителей
@@saveappitsme9554 не знаю, что на счёт остальной России, но во всех школах мск и спб я видел только винду. И сам заканчивал школу, в которой все компьютерные классы были оборудованы пк с виндой.
The moment the American big tech does a thing to those, it will be the end of apple, end of apple fanboys. No more iPoon. No more M1 MacBock toys for them. They will panic "OMG! Where is my iPoon?", "Oh no! I can't live without my iPoon! Give me iPoon Max Pro Now! I need it!"
When you introduce an acronym, upon first use of said acronym, state what the letter stand for. At TI 1:43 you state “that is where DNS comes in”, with out stating that it is an acronym for Domain Name System/Service and Domain refers to the name used for the web site, such as Google. It would be helpful to non technical folks watching your video. Nice explanation of CA (Certificate Authority) though.
This is not a tutorial video - the audience this channel caters to is primarily this who work in the field. There is an expectation people watching this are technically literate in IT jargon.
@@vik914 then the first 2 minutes we’re talking down to the IT jargon literate. We did not need the description of how DNS works, because the author assumed we already know what DNS is, so he didn’t need to describe how it works.
Honestly, what is more important to a non technical person - the fact that DNS is a service that maps names to IPs, or what DNS stands for? Without knowing what it does, Domain Name System could well be a fancy name for my browser bookmarks storage. I don't even think that a non technical person would care about what the acronym means. It is just unneeded information beyond the scope of the video.
Is there a (relativelty easy) way to mark a certificate authority as partially trusted, so that, if i trust it or not, would vary on a site by site basis? Because, like, i would trust this new vertificate authority if i'm connecting to some russian government website, but not if i'm connecting to, lets say, youtube. Although, considering the levels of corruption, i wouldnt want to trust it even when connecting to govt websites, because i wouldnt be surprised, if, sooner or later, either the private key will be sold/stolen, or there will be a certificate(s), issued for a fake govt website(s). But i guess i wont really have a choice.
@@OggerFN That only works if the program isn't reading them from a random pem file somewhere in the filesystem. Linphone (the SIP softphone app) likes to do that.
If you want to partially trust a CA on a site-by-site basis, you might as well just configure the browser not to trust the CA at all. Just add the website certificate into your trust Exception list. You're going to have to decide the site certificate yourself anyway.
The real reason is: *Thawte CA* recently has revoked certificates of some russian banks. It broke banks' websites. "National" certificates can avoid that in the future. Although "national" certificates allow _"major comrade" («товарищ майор»)_ to read users' traffic, that is NOT the real reason for their creation. P.S. Seven years ago national card processing system was created in Russia. Today *VISA* and *MasterCard* has stopped card processing in Russia, so the national system is the thing that still makes their cards processing is possible.
I think Russia will benefit from separation of system dependence on the US. It seems that US Democrats are rude to Russia whether they are invading other countries or just minding their own business. Both Europe and Northern American liberals want Russia to be public enemies. Russia is better of accepting this and becoming totally systems independent of these nations.
Виза и Мастеркард в текущих реалиях вообще бесполезные карты, МИР хоть можно добавить в MirPay. Помню, как мне при выдаче университетской карты в сентябре 2021 сбербанк всучил еще и Мастеркард со словами "ну вы же знаете что картой мир особо не заплатишь нигде". Ну а все этим сертификаты и отечественные ОС - то, от чего стоит держаться подальше. Если windows перестанет работать, то я поставлю debian или ubuntu, а не "Астра", которую 100% напичкали следящим ПО и backdoor для major comrade. Use google translate if neccesary. My text english is very bad, i can only understand.
Onion, you say, hahahah. The gov. blocked all the Onion gateway nodes as well as bridges over here. Anyway, Onion has always been overrated due to its convenience factor. Time for I2P, Freenet and such again…
I'm your Russian viewer. This means we'll use one of those two shitty browsers for government websites and regular browsers for the rest of the Internet.
I still remember numbers from when I was a kid and there were no cell phones. I think you underestimate the human capacity to remember strings of numbers.Great explanation of https though!
“Like having to remember all your friend’s phone numbers, that’s not reasonable” Yeeeea…that used to be a thing 😆. You can remember a SURPRISING number of 10 digit numbers when “fun” is on the other end and digital storage doesn’t exist yet
This is what they don't realise. They aren't dealing with Iran, north Korea or Cuba. Russia is massive and has all the materials and allies it needs to keep going without the west, whereas the west need these raw materials badly as they are reliant on them XD
@@FVBmovies Putin's team will just squeeze out the last bit of money out of the country and leave to retire in their palaces in foreign countries. The ruin they'll leave behind doesn't concern them, and we, the young generation, will have to somehow put it all back together. I had no idea what to expect until recently... Now i think i understand. And it's not looking too good.
There is nothing more beneficial for the average citizens than a government that strives for economic independence. Being able to produce basic necessities is a must for a strong independent nation.
@@lol-dm8wx I was talking about production a country that can function by itself is in a better position than one relying on other countries to survive. Also the government has a monopoly on force and most major US corporations are buying that force for their own means. Which means those corporations are the ones currently running the show.
Who knew that all it took to liberate one's nation was to disagree with other nations, start a war, and undergo sanctions. Could this intense opposition create a fully independent Russia?
On a side note: if you hack a DNS server, you can prove ownership of the domain and aquire a certificate for it (Domain Validation certificate). There's also extended validation and organisation validation which verify more than just the domain. What TLS is actually most useful for is encrypting your data. This way if someone is monitoring your network (your ISP, a public cafe or whatever) they cannot see the data you send and receive from https websites. Another great tool is preventing man-in-the-middle attacks (mitm). In a mitm attack, the hacker targets your pc, network or browser (much simpler targets than dns server) and trick only your pc/network to a different IP. The difference here is because they do not have public exposure (only your compromised pc/network) of their IP on global dns, they will not be able to verify ownership thereof and create a TLS certificate.
@@graealex I guess in a way it is something like that. You'd get a wrong phone number if someone "hacked" a phone book, and could then be subject to nefarious individuals
@@marcusvinicius9213 The point was that a DNS server is usually the finished publication, like a phone book. The thing is, when you try to validate a domain to get a certificate for it, the certificate authority will look into their own copy of the phone book - i.e. changing any DNS server - basically changing your own phone book, or any, won't make the CA see you as the owner. Instead you need to hack the servers from where the DNS entries get published. For many companies, that'd be their hosting provider. You can then insert the necessary DNS entries that the CA wants to see when you do the validation, and receive a valid certificate.
There's a reason why we were sent phone books heavier than bricks every few years. We couldn't remember every number we needed either, except for our inner circle. And in the context of the internet, web sites pretty much have different numbers based on what you're trying to do, or where in the world you're logging on from. It'd be an absolute nightmare. It also helped that our closest friends and family would usually have the same area code, which makes the digits you needed to remember even fewer. IPs of your favourite web sites don't follow any sort of pattern like that.
@@stale2665 I agree with you on your point about area codes, and I'll even kick it up a notch (bam!): most people's phone numbers rarely changed, so it was much easier to eventually commit it to memory In fairness, address books were a thing... Phone books though, were not for the purpose of having access to numbers you already knew, but were for allowing you to (hopefully)look up a number you didn't already know. And they were kinda terrible at it, too They were, however, excellent for stacking up to give your home that rustic, lived-in hoarder feel :D
They actually have a list of domains that use the certificate, its the second button on the gosuslugi website that says CSV-something. Its mostly banks and government websites
@@straightupanarg6226 They are going to "rank down" searches that goes against their views, so basically they are becoming Google but with less budget and no selling points.
"Imagine trying to remember the phone number for every one of your friends, that doesn't make sense" Ya know, I hear that people used to do this in the long long ago...
I love the fact that you can distinguish between politicians and people. We all know that Putin is crazy for doing this shit, but you care of your Russian viewers, because in the end, they are just regular people like any of us.
@agapp11able Donbas annexation could have been understandable. But full war, and even threatening of using nuclear weapons is not reasonable. The whole world thought he was smart enough to choose other _smarter_ ways to protect his power. Hopefully, he goes back to being reasonable.
@agapp11able "the Ukranian president threatened to build a nuke and fire it into Russia" According to who? Russia? Edit: Ah, yes, Rossa Primavera discussing the "liberation" of Ukraine. The most trustworthy of sources.
@agapp11able And rather conveniently, since TH-cam's automod deletes links now, you have literally no way of providing an actual source beyond "trust me, bro".
Install another copy of Firefox, if you have regular Firefox already you can get Beta, Developer Edition or Nightly, install certificate, now you can chose if you want to get mitm by NSA or KGB. And if you think that NSA doesn't have keys from all the western CAs I got a bridge to sell you.
I know right? Everything is so messed up on the way it's set up it's insane. I'm sure there are methods on encrypting packets without having a massive eye surveiling you but they are purposefully not implemented.
not even mental outlaw seems to be aware of the simple, yet effective wonder that is DANE, it would solve all of these problems, as long as 1) the entire DNS system supports DNSSEC (and has it enabled), and 2) the government isn't tampering with their dns root server (which is highly unlikely and would only allow targetting specific sites, one at a time, unless they wanna destroy their entire internet)
DANE does not really solve that problem. DNSSEC leaves one big hole: You have to trust your DNS server. It can just lie to you and set the AD bit, even if signatures were not checked or incorrect. DANE records therefore can’t be trusted 100% either
@@stevemeier2852 DNSSEC is designed to protect against DNS poisoning, since the DNS records are signed by the domain holder as more and more clients support DNSSEC by default DANE will become more and more useful even if you were using a malicious DNS server then DNSSEC will save you, there's a reason why DNS servers that block ads, trackers and malware fail DNSSEC checks client side.
Just to clarify. The padlock means "We are certain that you are connected to a site that has control over that domain name, btw the connection is encrypted". It doesn't mean "you are on a secure site".
This is mentioned in the vid, I just wanted to summarize.
Secure CONNECTION, not secure website. I am no disagreeing with you
same can be said about google or any other major website.
"We are certain that you are connected to a service that is presenting a certificate with a valid name (fqdn), and a trust chain which links to a root certificate that is trusted by your web browser"
Transparent corporate web proxies don't "have control over all internet domains", yet they can mitm-intercept all the web traffic from employees using company computers because of the above.
How do i know then if its a safe website?
@@aggressivetoast That's the neat part. You don't.
I've always wondered how the internet would be in the Soviet Union, if it weren't dissolved. Guess we might know the answer soon
Look no further than China...
Soon soon...
Have a nice one...
Oddly enough, .su domains were never removed and they are still in use.
@ Not China this is different wne would be better
But this isn't the Soviet union? There is no Soviet union and the internet would actually be a good place.
mental outlaw never fails to include anime gifs 💀
He's is Coomer Prime
@@thomzwiefler6305 he knows his audience
Come for the tech, stay for the waifus.
@@johnsmith8981 Kenny is mai waifu
Fr
At the same this is pretty damn sketchy, it is also super sketchy how access to backbone technology is all in the hands of American tech companies "we don't like your country, now your entire population should not have access to being able to do banking securely, hosting, being able to make money online or anything"
Sketchy^n
The tech companies increasingly own all of us. This is just the next logical step of deplatforming. Now its happening against a whole country at a time lol.
Big Tech has overplayed its hand in using its power to punish. It’s dreams of being global systems have died now. Each economic zone will create its own systems.
Help Americans retake the big tech companies that our taxes paid/stillPaying for, let's make it FOSS. Amazon, Google, Apple, Microsoft and on have defrauded the American public and acted as an abusive "arm of government" such monopolistic practices are a violation of both domestic laws and international fair trade business laws. Anyway, be sure to let randoms or your pals know that US tax payers funded big tech, and we the people want our data out of the hands of Palentir and we want to FOSS the infrastructure that our taxes paid for. Amazon can go eat a bag of rolled quarters.
I feel bad for the average Russian civilian. It's not their fault they're stuck in a dystopian nightmare.
For those with the basic knowledge of SSL Certificates, http vs https and trust authority, Skip to 7:55 for the video in context of Russia.
It took me 6minutes and 57 seconds to get to your comment. Thanks for that minute of my time you saved
I needed the info, but upvoting for other big brains who don't need it.
FemonicRBLX I love you
Man you should do this on all videos
Ty Paula Abdul ❤❤❤
As a cybersecurity major, your videos help me apply what I learn to real scenarios, and I appreciate that you explain everything in a way it's easy to understand. Thank you!
I love when good knowledge is spread on the internet, gives me hope
this must be the new way to major in cybersecurity. the old way was to get arrested by the fbi
Except he's wrong and describing something that might have been possible 5 to 10 years ago. Because most correctly configured websites have CAA DNS records and HSTS.
Nice pfp
@@KnutBluetooth Can you explain more about that? He explained a lot of what I have to read in my textbooks so I assumed it was accurate. I am only in my first semester with this major so I don't know much lol
"that's like remembering the phone number of every single one of your friends. that doesn't make sense"
Damn that makes me feel old, as this is exactly what we did. It was common to have memorized two dozen or more phone numbers. Friends, family, work, etc.
It's just how things were before people became dependent on technology
@@nevermore3055 because telephones aren't technology lol
I still remember my childhood number and my first cell number and best friends number from like 6th grade, havent been in school for almost 20 yrs
@@annybodykila i know one of my oldr friends still remembers his home ph. number, his friends telephone numbers (home numbers) his mom's cell phone number from 15 years ago and a lot of other stuff LOL funny how our brain remembers the most useless things ever.
It's funny, I can still remember my friend's parent's home phone number but couldn't tell you my friend's cell phone number.
The truth comes out, he wasn't banned from posting for a week, but actually suffering from crippling Vtuber addiction. We've all been there
Bullshit... No one gets addicted to Vtubers for only a week.
@@TheSetkon lol
@@TheSetkon what's the allure of vtubers? I've seen things of them but I don't see how it's addicting
@@z3ro216 imagine women but funny
@@z3ro216 coomers like looking at anime girls
1:53 DNS servers are rarely hacked, but if they would get hacked, then the attacker could just buy a certificate for the domain, and TLS is circumvented. You only need to demonstrate that you control a certain domain to buy a certificate for it. What TLS really protects against is man in the middle attacks, when the attacker hacks your network, or you're on an insecure wifi, or your ISP/government are hacking. I used to demonstrate that with rogue wifi APs with an SSID like McDonalds or something that people's phones will automatically connect to.
I'd recommend reading Christopher Soghoian's 2011 paper "Certified Lies" [edit: BE SURE to find an uncensored copy; the appendix includes some very damning supporting material, but many _academic_ sources omit it] to put a big asterisk on TLS' protection against governments; the tldr is there are so many intermediates that are so poorly run that it's nearly inevitable that the NSA has coerced a few into giving them either illicit certificates or the keys outright
@@codegeek98 and I think that it's highly likely Let's Encrypt has also probably given them at least read-only access, given how it's such a critical piece, with nearly everyone who's not straight buying their certs, using LE
@@jan_harald But Read-Only access means nothing. These days all certificate issuance is public information anyways thanks to "certificate transparency." (Except for illicitly-issued ones, I'm sure)
@@codegeek98 Yeah, the NSA can do pretty much anything, but at least it protects against other, less powerful APTs / resourceful and sophisticated adversaries, like the government of Kazakhstan as mentioned in the video. I believe it can protect against Russia as well. Probably not China, because they control the hardware.
@@joshuavillwo it means a LOT to have read-only access to your passwords and stuff, to any private messages you send via web chat, etc etc
certificate transparency tells you what CA issued what cert to who, and when, which is not what I'm talking about here
Fun fact many goverment websites from brazil do not have a certificate
Gov websites have gotten better but most of them are still shit here in brazil
Indeed
I wonder if I will make a carrer fixing the gov sites, or the way these are awfully made is intentionally designed by CIA.
neither do russian sites i think
Governments often don’t shell out the bucks for the good web developers and instead get the lowest bidder.
That was so well explained. I am glad I subscribed to this channel.
Dude, this was really good video. Well put together and packed with info. On a topic that I've wondered about for a long time too. Good job.
You're right.
I remember hearing about this back in Iran 10 years ago. They used a Dutch certificate authority to mitm Google users.
I wish we could move on to a better system than this.
"Just send me the virus link" A few days ago, someone I didn't know messaged me and I responded with "what is it today? gift cards of crypto?"
Hey, Escobar Cash is legit! 🤪
@@JamesWilson01 Don't talk shit on Hitlerwealth!
Russia anti-censorship security V.S. social media anti-censorship bypasses.
Special content operations*
I've legit been wondering how sanctions would affect CAs in Russia.
Wait a second. Do I know you aren't you pleroma or Mastodon?
Yeah
@@whitepaperkat67 yea, i had to double take when i saw him
@agapp11able and one year prior to that One who shall not be named made changes to the Constitution in order to protect children and Russian culture. And also to grant himself a lifetime diplomatic immunity among some other things.
Back in a day I thought he simply didn't want to answer for palaces tHaT aRe PhOtOsHoPeD aNd NoT fOr HiM aNd LoOk At *YoUr* GoVeRnMeNt FiRsT! But boy did I not expect political ambitions to really hit the fan. Damn.
@agapp11able kinda, but not really. Intellectuals are pretty much on the same page most of the time, while "common" people would be surprised, how much alike they really are, if it wasn't for the language barrier.
Apart from fetishizing suffering: Russian people take great pride in their ability to indure and overcome adversities and never yield or whine. Older generation, that is, I can't see this mindset being all that prevalent in the youth.
If you have any other traits in mind, that are more or less unique to Russian culture, I would appreciate your insights.
I think it has to do with newly (welp, 2012 sort of "new") discovered shale and slant gas deposits in Ukraine. Most of which are in Crimean exclusive economic zone and on the northwest of DNR. The peninsula itself is too expensive to hold with the Crimean channel blockage, hence the imperative to clear the dam and gain foothold by the Dnieper. The latter being the only natural border between Russia and Europe apart from Carpathian mountains, so we have the rest of the conflict: Donetsk and Lugansk won't last too long as buffer zones without it.
Russian economy can't afford big competitors in Europe, hence the blitzkrieg special gamble. All or nothing.
We'll never know for sure, what were the actual reasons, but at least this rationale helps me see some logic in what is happening. As horrible as it is.
The anime gifs make this infodump easier to digest.
Stay a legend, man.
Russian here. First time hearing about this certificate thing ngl but was a nice watch. Thanks for the information not gonna ever install that crap
Russian here. And will install. And don't give a fuck.
@Valar Melkor not a single one I use asked for this so far so. Anyways prob gonna use VPN if anything, I proxy most of my traffic this days anyway
@@ryuukoi probably won't be able to get around this one Ilyich.
@agapp11able >"made our own"
what, spyware? lmao at least with america you're out of reach legally, good luck with FSB on your ass at all times
that's some next-level cuckoldry
In the early days of the internet we really DID have to know those long numerical IP addresses. In fact there was a booklet, sort of like a telephone directory that got updated a couple times a year with valid IP addresses and what site they would take you to.
They just now thought to do that? I would have assumed this is something every country has, but then again I'm just a bigfoot so what do I know
I think the major problem with this, is the fact that the user is forced to only use government specified browsers that can use the government created certificate service.....Sounds like an absolute monopoly with absolute power over what can be seen, posted, shared, and disseminated.... Seems like a perfectly dystopian internet experience....
Like google?
@@fallencrow6718 But imagine google actually having a whole an complete monopoly over all usable internet service.....Sounds Terrifying to me :(
You mean like the great firewall of china? Lol
@@FrogsRghey Yeah more like china.....
@@kryststar6800 more like Google actually
If Russia can use this for a man in the middle attack, then so can the old certificate organisations from the US, and are doing this. Make a video on how to prevent the USA from making a man in the middle attack.
Exactly! All "Russia could do this bad thing, Russia could do that bad thing..." blah blah blah... That only means the US could have been able to do all those bad things all along for decades.
There'd be whistleblowers.
@@Moks89 Really ? Snowdens are few and far between. Most people involved in this kind of stuff love it and love to keep their mouth shut.
1:23 "..it's like, imagine trying to remember the phone number for every single one of your friends. That doesn't make sense.."
Holy shit do I feel old now. First day of kindergarten we memorized our own home phone numbers, and then we always memorized the home phone numbers of our closest friends and family. I still remember like twelve different numbers from my childhood, some of which are out of service today!
Such a well put together video and that transition to Russia’s certificate was flawless. Thanks!
1:25 “imagine trying to remember all the phone numbers for your friends… it wouldn’t make since”.
Me: well buddy back in my day…
Back in your day it still didnt make sense to do.
@@cmnidit4444 It happened simply due to the fact most people dialed numbers manually back then, so the number got cemented in your head anyway. And since calling was more prevalent, you dialed those numbers more often too.
I don't root for russia but at this point I'm not surprised anymore.
Russia is an analog world "root virus"
Who do you root for then?
FFS, geopolitical conflict isn't a game. You don't root for a team...
pun intended?
@@ereder1476 not my problem
And again, thanks for explaining everything to normies like myself. Much love 💕
"Imagine remembering the phone number of all your friends.. that just wouldn't make sense."
This is how it was done before cell phones. I'm not even that old but I still remember phone numbers of some of my friends from elementary school.
They're note down in a notebook
Yes we never had a rolodex or a contacts book. We all memorized every number we needed.
Uhhhh, maybe you- as a kid- only had to remember them. functioning adults needed a contacts book however
The problem with this is that a single web site like youtube might have dozens of IP addresses, because they have load balancing servers all over the world. Maybe you remember the ip to the youtube server closest to you in seattle, but then you're going on a business trip to london and the ip you remember is now super slow.
Also, remember phone books? Those enormous books with a thousand huge pages? That's basically an analogue DNS server.
@@jakob4112 I am not saying that every single number was memorized. However, all close family members, family friends, etc were memorized numbers. My parents actually taught us kids to memorize the numbers in case there was a problem because that was "normal" at that time (2000s). My friends knew those numbers as well.
I do remember a little contacts book that also held the phone number for the doctor's office, dentist office, etc.
If I ever forgot someone's phone number I would just ask my parents and they would recite it to me. There are movies that reference this common behavior and older people I speak to mention old numbers that they still remember which are no longer relevant to them.
It’s important to realize that trust in a practical sense just means the issuing CA’s certificate is in your host os’s trust store. For windows that’s the crypto api (CAPI) store
Based content
Based content
I take major issue with citizens being punished for the actions of their leaders. Just remember that necessity is the mother of invention. With all of these sanctions from governments and big tech, the outcome will be that the Russian people will continue to march forward. What the world is doing right now will force Russia to develop all of this tech on their own - this will likely lead to more national pride, new products and services, and will diversify Russia's exports - in short these measures will make them stronger.
it seems like this was Putin's - or of whoever might be behind him - plan. He couldn't have not expected such an outcome.
Look china, the US banned them from ISS. But now china can made their own space station, meanwhile other countries still crying and depend to US for space programs
Looks like it... Russians anounced that they will beginn doing their own phones, laptops and other tech. And im sure after a few years they will manage to do it because they dont have other options. Even chinese phones are now more expensive in Russia.
there is already a whole history behind soviet era tech that makes me doubt it will really go that way
@@JhoTerra The Russian federation and the USSR are two different things. Also what was the problem with soviet technology?
More videos on SSL and certificate authorities please! I am very interested in learning more
Interesting, so what you're saying is that Russia is basically building it's own digital and financial infrastructure from the ground up which is more or less invalidating Western sanctions?
Exactly, quite soon it seems there will be a divided internet and financial system. One for the west and Europe and another for Russia China and Eurasia
China already has. Eventually, all the major economic zones will. They have seen how vulnerable they are depending on US tech.
It's all WEF/NWO agenda, y'all playing right into it. Dividing up the internet so that global communication becomes impossible. So you won't see the riots IN Australia or NewZeland or Canada or Ukraine etc etc. The same players from Downing Street are behind destroying your economies, this is by design and it doesn't take too much digging to hear this straight from their own mouths in recordings archived in places scattered throughout the interweb. Russell Brand been talking about some of the evidence coming out though, great channel for waking up normos.
@@VertegrezNox - And you think that a global system run by abusive US Big Tech is better?
@@pharder1234 - I predicted that some time ago. These are strategic industries now, and must be locally based.
I'm surprised they don't have one yet. I live in a small country in eastern europe and we have a local company which runs an internationally recognized top level root CA, like included in windows. Ofc the company has deep ties with the local secret service and military and stuff.
yay new Mental Outlaw upload!
edit: very informative as always, keep up with the great content o7
Thanks for the video!
It was pretty interesting to watch!
Watame sheep in the last vid, and now confused Fubuki... can't tell if Kenny fell through the Hololive rabbithole or if he's just spending too much time lurking on /g/ lately :p
Mental Outlaw, is it true that Russia will legalise pirating? It would be huge ngl
There were some rumours, but the government refused to do so.
Just saw an article about how Russia might re-open all the Mcdonalds restaurants by lifting the trademark restrictions depending on how everything goes. It's def on the table I'd say.
The anomaly.
Do we proceed?
Yes.
He is still...
Only human.
@@Keepontakingit If they were smart, they'd just repurpose those restaurants to serve good food. Fuck McDonalds.
@@Keepontakingit And opening their doors to obesity?? Is better as they have it right now.
I feel like DigiCert & al. revoking Russian certificates in the first place was a huge,shortsighted mistake that just enabled them to do this. This outcome was inevitable, and what did it really accomplish aside from locking average people out of their online banking? Sanctioning Putin and his cronies, international transactions &c. is one thing, but denying everyday Russian people things like a secure connection to check if their paycheck has been deposited is just ridiculous and counterproductive.
Tbh, this also applies to the most of the western sanctions. For example, what does removing of apple pay and google play accomplish, aside from restricting devices that common russians did pay for? They probably just won’t trust those western companies anymore and rather buy chinese alternative or smth.
@@Th3_Revolution Definitely; it's petty and just fosters resentment.
Thanks for always sharing your knowledge. Learned a lot from your channel
Superfish was an example of certificates gone bad.
looks like there should be a certificate authority blocker
Never thought I’d see the day mental outlaw mentions VTubers
Your explanations are on point! Ty!
Comparing remembering IP addresses to remembering your friends phone numbers as being difficult? Oh how times have changed.
The more I learn about how much of a joke cyber security is, the more I'm coming to terms that just using cash for everything makes the most sense. I already suck at managing my personal life. Having to manage my cyber life like I need to be coding everything on Linux just seems too hectic for me. I'm better off fending off a mugger with my bare fists than I am trying to hide my tracks online for every little tiny thing when all I'm trying to do is just play some damn video games and watch videos lmao.
Weeb shit at the start:
Bottom left: Yoshino Koharu (Sakura Quest)
Bottom right: Fubuki (hololive)
Top left: Karen Kujo (kiniro mosaic)
Bottom Middle: Kurumi Nanase (Menhera Shoujo Kurumi-chan)
Hi from Russia. Don't worry, we are fine
Hail comrade
Still fine, tovatish
Creating your own CA doesn't let you spy on traffic. Encryption is still established securely based website hosted keys and certificates. Russia having their own CA only lets then sign child certificates, not decrypt traffic that was encrypted with those keys. Fundamentally, any CA provide an answer to the question "is the domain I typed into my browser the same one in actually connected to". Encryption happens between host and server, not between host and CA.
Not by itself. But the idea for the Kazakh MITM was that (1) the govt would force the ISP to reconfigure its DNS to point the real website's domain to a government server instead of the real website's server, and (2) the browser would allow this connection because the government's CA had been added to the browser's trusted CA store. The government server would then proxy the traffic to and from the real website's server. There would be encryption between the user and the govt server, and between the govt server and the real website's server, but the govt server would have access to the unencrypted traffic traveling between these encrypted connections.
Though in this case, Russia may just be trying to give Russian companies a CA to use, since Western CAs are revoking all Russian company certs. Like Mental Outlaw said, we have to see which sites they use the CA for to determine what their intention is.
Yes it does, first of all your understanding of cert being "is the domain I typed into my browser the same one I'm actually connected to" is partially correct at best. The thing is that while it does verify that, it's only a small part of its actual function.
When you initially connect to the website and the TLS Handshake takes place, You receive a Certificate which contains the Cryptographic Public Key(the Private Key of which is available only to the server), And now this key is used on the client side for encrypting and sending back to the server what we call a PMS(Pre Master Secret Key, it is used to calculate the keys which are used for encrypting and decrypting the traffic in a SSL/HTTPS connection) which is then decrypted by the server using the previously mentioned Private Key, and then it's used to compute the master secrete and nonces, and finally it generates a pair of encryption keys which then will be used to encrypt and decrypt the traffic.
Now if you take a good look at this framework, there is a very apparent vulnerability, that is the fact that if someone on the same connection were to replace the initial SSL Certificate sent by the server with a certificate of their own, it would cause the whole connection to be vulnerable to a MITM attack as the PMS(which is used to calculate the key pair used for the encryption and decryption of the SSL traffic) will be interceptable and hence giving the attacker full access to the decrypted traffic.
To counter this Trusted Certificate Signing Authorities were put in place, basically a certificate is signed by a Trusted CA Signing Authority and when the certificate is sent by the server your browser runs the sign through a list of Trusted CAs (Digicert, Globalsign, etc) and if matches any of them then the certificate itself is deemed legitimate hence allowing the TLS handshake to proceed further. And if it doesn't matches any Trusted CA then depending on the browser you either get a warning or the connection is interrupted with a error.
And this is where having a Root Cert placed on the trusted certificate list of your OS/Browser comes in play, while you are true that the Cert in itself can't do much. But if someone is on the same connection as yours then they can intercept the traffic using that cert. Which is pretty easy for a country like Russia given the fact that all of the traffic goes through their own ISPs.
Now finally I'll explain in brief as to how this attack works,
Let's say that you are a client side browser trying to connect to Google and you have the Russian Root Cert installed on your Browser, and I'm someone with access to modification of ISP traffic.
Now your browser resolves the Google Domain name and sends a connection request to the Google server's DNS address.
Google responds with the certificate, that is where I come in and intercept the certificate and what I do is that I take that certificate modify it with the public key of my own Cryptographic key pair(to which I have the access to the Private key hence I can decrypt it). And now that the Trusted CA Authority sign is void, I simply sign it with the Russian Trusted CA, and send you the modified certificate with rest of the server response.
Now your Browser recieves the certificate and runs it's signature through the list of Trusted CA Authorities and it matches the Russian root cert that you installed,
So it trusts the connection and encrypts the PMS with the public key in the certificate (which you modified to the one that you hold the private key to) and sends it back to Google's DNS address, now what I do is that I decrypt that response and steal the PMS.
And then Encrypt the decrypted PMS with the actual legitimate Public Key that Google originally sent and forward it to Google.
Now that you have the PMS you can calculate the nonces and generate the key pair that will be used to encrypt and decrypt the traffic sent between the client and the Google server. Hence you will be able to decrypt, read, modify and encrypt all the traffic that flows between the Browser and Google. And all this could be easily automated, for example you could make a script that basically intercepts the credentials from the traffic and stores it in a database.
And yes, you're true that encryption happens between Host and Server and not Host and CA but with the key pair stolen anyone with the access to traffic could decrypt, encrypt and modify it.
While this could be avoided if you manually check the Certificate Verifying Authority to see if it's the Russian one or not. But most people who would install that cert in the first place won't really be cautious enough to check the cert every time.
@@aramfingal5180 DNS spoofing could also be done but it's easily detectable and avoidable and it's highly inefficient too . One could use their own DNS Record or Any other ones rather than using the ISPs default one, and if they come down to DNS redirecting most browsers notice it instantly and block it. Also it would be inefficient(also unnecessary) as they would need to host a proxy instance of the website their end which would require extensive resources. And it all would be unnecessary too, as they could simply use the cert to nab the PMS and use it to intercept the traffic on the fly without needing to put a proxy node in between.
Couldn't they make their own fake child certificates for the website and pretend to be the website though?
@@mathmagician8191 No need to pretend to be a website or host a fake/proxy instance of it when they can just intercept the traffic and decrypt/modify it using a cert spoof attack.
Well, the hacker portion of this video was definitely scary.
It always is! I hate it . .like we can't do much to stop it or fight back. .as long as we don't have a data breach or do something dumb online. Were fine but it is scary that you could be using a website you've always used then one day it's fake. .and you wouldn't know unless you look hard . :(
Imagine you'd known how RU Internet segment works. Root certificates and authority centers exist here since 2000s - they are used for online trading, taxes, document signing (digital signatures). Surprise, its not only bears and vodka in Russia.
Love these info segments. Thanks friend.
I live in Russia and even I didn't know that! Good job man
it means they hate freedom
as a computing student your videos are amazing.
as an artist, your videos are also amazing, more for the journalism.
you are definitely one of the best channels on youtube, and i constantly share your videos with my classmates.
Yeah man, back in the 90's we had 'key parties' to create circles of trust. The tech still works like that if people bothered.
This was a rather long way of getting to the point that you've been man in the middling my youtube sessions.... I promise I just like art style
If I get hacked, they’ll see my mental outlaw addiction.
In the United States there's already a rather large MITM operation, called "Cloudflare". You get the padlock and everything, but if you actually inspect the certificate, it isn't what you thought you were going to. Cloudflare is its own CA, Certificate Authority, and consequently it affirms that its customers are legitimate so you get the "padlock" symbol. So instead of going directly to a particular server, you are going to a *proxy* which inspects your packets and then re-packages them for transport to the actual server; and THAT link can be secured by the "real" server certificate or not secure at all.
When there's a malfunction in Cloudflare, customers make phone calls to banks and whatever but it isn't the bank's fault and indeed there's not really anything the bank can do about it.
"Fiddler" is a nifty diagnostic program that is a MITM proxy *right on your own computer* and it requires to install the Fiddler root certificate so that your browsers think they are talking to whatever but really they are talking to Fiddler. It makes possible to diagnose problems with websites that use HTTPS.
Cloudflare is not a MITM operation. It's primarily a DDoS mitigation company and it's been around for a *loong* time.
Hey there, Russian here, the majority of PC's on which this fucking pain in the ass certificate is installed belong to schools, I know it because I study in one of them and I'm also the one who does all the computer stuff and Linux magic (in Russian school GNU Linux prevails since windows needs licensing). You get extensive instructions along side with an order that you have to install this certificate. This guide includes instructions for Linux
В каком городе это вообще происходит?
@@4EJT В Вологодской области везде это точно
То есть, ты хочешь сказать, что у нас на большинстве школьных компудахтеров стоит линукс? ну насмешил, не поверю
@@frankiefrom80s80 ты когда в школе учился, динозавр? Русские люди не будут платить за Винду, а не лицензионную ос в школах устанавливать нельзя. Я не знаю насчёт Москвы, но Москва это не Россия, в моем городе во всех не платных школах Линукс, ещё встречал макось с Виндой через буткэмп, но они в меньшинстве
Есть ноуты, с которыми активированная винда идёт вместе, но они для ЕГЭ/ОГЭ в школе лежат, ну или для учителей
@@saveappitsme9554 не знаю, что на счёт остальной России, но во всех школах мск и спб я видел только винду. И сам заканчивал школу, в которой все компьютерные классы были оборудованы пк с виндой.
I see, a Man of Culture
16:47 Using certificates from Chinese CAs is probably the best move, big tech will probably not do anything to those lol.
Don't think the Russians would want the Chinese to be able to spy on them though.
@@AceOfHearts1498 I didn't think of that, that's a good point.
@@AceOfHearts1498 Hey I just looked it up and apparently CAs don't store private keys of issued certificates, how would they spy on you then?
The moment the American big tech does a thing to those, it will be the end of apple, end of apple fanboys. No more iPoon. No more M1 MacBock toys for them. They will panic "OMG! Where is my iPoon?", "Oh no! I can't live without my iPoon! Give me iPoon Max Pro Now! I need it!"
Every country should do the same. Too much risk to put the trust on Third Party CA
When you introduce an acronym, upon first use of said acronym, state what the letter stand for. At TI 1:43 you state “that is where DNS comes in”, with out stating that it is an acronym for Domain Name System/Service and Domain refers to the name used for the web site, such as Google.
It would be helpful to non technical folks watching your video. Nice explanation of CA (Certificate Authority) though.
This is not a tutorial video - the audience this channel caters to is primarily this who work in the field. There is an expectation people watching this are technically literate in IT jargon.
@@vik914 then the first 2 minutes we’re talking down to the IT jargon literate. We did not need the description of how DNS works, because the author assumed we already know what DNS is, so he didn’t need to describe how it works.
@@vwfanatic2390 thank you
@@kaoskittykat857 as I said, nice explanation of CA’s,
Honestly, what is more important to a non technical person - the fact that DNS is a service that maps names to IPs, or what DNS stands for?
Without knowing what it does, Domain Name System could well be a fancy name for my browser bookmarks storage.
I don't even think that a non technical person would care about what the acronym means. It is just unneeded information beyond the scope of the video.
I will use that line 'Just send me the virus link' in future.
Mental Outlaw is secretly a weebo.
secretly?! :o
Damn you explain the whole HTTPS and SSL better than my lecturer
Is there a (relativelty easy) way to mark a certificate authority as partially trusted, so that, if i trust it or not, would vary on a site by site basis? Because, like, i would trust this new vertificate authority if i'm connecting to some russian government website, but not if i'm connecting to, lets say, youtube. Although, considering the levels of corruption, i wouldnt want to trust it even when connecting to govt websites, because i wouldnt be surprised, if, sooner or later, either the private key will be sold/stolen, or there will be a certificate(s), issued for a fake govt website(s). But i guess i wont really have a choice.
Use Yandex Browser for the govt activities.
@@OggerFN That only works if the program isn't reading them from a random pem file somewhere in the filesystem. Linphone (the SIP softphone app) likes to do that.
If you want to partially trust a CA on a site-by-site basis, you might as well just configure the browser not to trust the CA at all. Just add the website certificate into your trust Exception list.
You're going to have to decide the site certificate yourself anyway.
idk if that makes sense. If the cert is trustable for one site, its trusted for all, or trusted for none.
Use a VM.
... don't remember phone numbers... Everyone born before 1985 is like yeah that's what we did....
The real reason is: *Thawte CA* recently has revoked certificates of some russian banks. It broke banks' websites. "National" certificates can avoid that in the future. Although "national" certificates allow _"major comrade" («товарищ майор»)_ to read users' traffic, that is NOT the real reason for their creation.
P.S. Seven years ago national card processing system was created in Russia. Today *VISA* and *MasterCard* has stopped card processing in Russia, so the national system is the thing that still makes their cards processing is possible.
I think Russia will benefit from separation of system dependence on the US. It seems that US Democrats are rude to Russia whether they are invading other countries or just minding their own business. Both Europe and Northern American liberals want Russia to be public enemies. Russia is better of accepting this and becoming totally systems independent of these nations.
I'd rather let comrade Major read my traffic than "Sir yes Sir" guys
Виза и Мастеркард в текущих реалиях вообще бесполезные карты, МИР хоть можно добавить в MirPay. Помню, как мне при выдаче университетской карты в сентябре 2021 сбербанк всучил еще и Мастеркард со словами "ну вы же знаете что картой мир особо не заплатишь нигде".
Ну а все этим сертификаты и отечественные ОС - то, от чего стоит держаться подальше. Если windows перестанет работать, то я поставлю debian или ubuntu, а не "Астра", которую 100% напичкали следящим ПО и backdoor для major comrade.
Use google translate if neccesary. My text english is very bad, i can only understand.
Onion, you say, hahahah.
The gov. blocked all the Onion gateway nodes as well as bridges over here.
Anyway, Onion has always been overrated due to its convenience factor.
Time for I2P, Freenet and such again…
I'm your Russian viewer. This means we'll use one of those two shitty browsers for government websites and regular browsers for the rest of the Internet.
for this they use yandex browser - it is based on chromium, and it works very well, many people use it
@@ivagov5758 yeah, yandex and any chromium stuff is just a ram consumer, i won't install it just to use gosuslugi lol.
I still remember numbers from when I was a kid and there were no cell phones. I think you underestimate the human capacity to remember strings of numbers.Great explanation of https though!
They can pay Snowden big money to help with this 👍
Thank you, very educational
“Like having to remember all your friend’s phone numbers, that’s not reasonable” Yeeeea…that used to be a thing 😆. You can remember a SURPRISING number of 10 digit numbers when “fun” is on the other end and digital storage doesn’t exist yet
The world : *tries really hard to punish russia for the 294th time*
Russia : Fine, I'll do everything myself
This is what they don't realise. They aren't dealing with Iran, north Korea or Cuba. Russia is massive and has all the materials and allies it needs to keep going without the west, whereas the west need these raw materials badly as they are reliant on them XD
@@LawrenceTimme Keep me posted about how russia will cope with computer chip embargo. ;)
@@FVBmovies we've survived 200000 years without chips, they will manage.
@Fihlippe Luhis You'd think country with 2x coups be smarter. Even China denied airplane parts to russia.
@@FVBmovies Putin's team will just squeeze out the last bit of money out of the country and leave to retire in their palaces in foreign countries. The ruin they'll leave behind doesn't concern them, and we, the young generation, will have to somehow put it all back together. I had no idea what to expect until recently... Now i think i understand. And it's not looking too good.
There is nothing more beneficial for the average citizens than a government that strives for economic independence.
Being able to produce basic necessities is a must for a strong independent nation.
If we have a truly free market then large companies will rule instead of the government.
@@lol-dm8wx I was talking about production a country that can function by itself is in a better position than one relying on other countries to survive.
Also the government has a monopoly on force and most major US corporations are buying that force for their own means. Which means those corporations are the ones currently running the show.
@@redrocket8062 ah
Who knew that all it took to liberate one's nation was to disagree with other nations, start a war, and undergo sanctions. Could this intense opposition create a fully independent Russia?
Yes more or like China on the field of Internet and Technology
Countries like India should learn some lessons being too dependent on Western Companies.
liberate huh
'liberate' hahahahahahhhhahahhahhaha🤣🤣🤣🤣🤣🤣🤣🤣🤣
@@Qew77 i meant in the sense that one's economy is fully self reliant.
I didn't understand anything but i watched the whole video still. Gotta support the homie.
On a side note: if you hack a DNS server, you can prove ownership of the domain and aquire a certificate for it (Domain Validation certificate). There's also extended validation and organisation validation which verify more than just the domain.
What TLS is actually most useful for is encrypting your data. This way if someone is monitoring your network (your ISP, a public cafe or whatever) they cannot see the data you send and receive from https websites.
Another great tool is preventing man-in-the-middle attacks (mitm). In a mitm attack, the hacker targets your pc, network or browser (much simpler targets than dns server) and trick only your pc/network to a different IP. The difference here is because they do not have public exposure (only your compromised pc/network) of their IP on global dns, they will not be able to verify ownership thereof and create a TLS certificate.
"if you hack a DNS server" - what does it even mean? That's like "hacking a phone book".
@@graealex I guess in a way it is something like that. You'd get a wrong phone number if someone "hacked" a phone book, and could then be subject to nefarious individuals
@@marcusvinicius9213 The point was that a DNS server is usually the finished publication, like a phone book. The thing is, when you try to validate a domain to get a certificate for it, the certificate authority will look into their own copy of the phone book - i.e. changing any DNS server - basically changing your own phone book, or any, won't make the CA see you as the owner.
Instead you need to hack the servers from where the DNS entries get published. For many companies, that'd be their hosting provider. You can then insert the necessary DNS entries that the CA wants to see when you do the validation, and receive a valid certificate.
@@graealex Oooh, i see. Sorry, i still have a lot to learn.
good, the internet should be free and open to all.
Old Millennials and Gen-Xers be like: Right, just imagine how totally insane it would be to actually know peoples' phone numbers... 😏
There's a reason why we were sent phone books heavier than bricks every few years. We couldn't remember every number we needed either, except for our inner circle. And in the context of the internet, web sites pretty much have different numbers based on what you're trying to do, or where in the world you're logging on from. It'd be an absolute nightmare.
It also helped that our closest friends and family would usually have the same area code, which makes the digits you needed to remember even fewer. IPs of your favourite web sites don't follow any sort of pattern like that.
@@stale2665 I agree with you on your point about area codes, and I'll even kick it up a notch (bam!): most people's phone numbers rarely changed, so it was much easier to eventually commit it to memory
In fairness, address books were a thing...
Phone books though, were not for the purpose of having access to numbers you already knew, but were for allowing you to (hopefully)look up a number you didn't already know. And they were kinda terrible at it, too
They were, however, excellent for stacking up to give your home that rustic, lived-in hoarder feel :D
I've heard of a padlock, but WTF is a "lockpad"? 🤣
Is there any firefox\chrome extension that's remembers dns number for bookmarks instead of it's http address? It would be helpful sometimes.
It's called a notebook. Return to monke.
browser already caches most stuff
You could just add them to your host file.
>dns number
The word you're looking for is IP address.
@@dankdreamz Yep, /etc/hosts is exactly that
That vTuber addiction example hit so close to home, I had to hide under the table.
They actually have a list of domains that use the certificate, its the second button on the gosuslugi website that says CSV-something. Its mostly banks and government websites
That button says "download csv-file" and it isn't the list
@@shadesoftime csv is a microsoft excel document format
@@nullmind r/whoosh
@@shadesoftime am i too smart to understand this?
@@nullmind who knows, does that CSV file containing the domains that use the certificate? He seems not to believe so
Good. Internet should be free and open by any means.
Hey man, wondering if you are going to make a video on DuckDuckGo's most recent announcment on twitter, to which I find ridiculous.
What was it?
@@straightupanarg6226 They are going to "rank down" searches that goes against their views, so basically they are becoming Google but with less budget and no selling points.
@@Rarog204 So trashy, I now I have no reasons at all to use this piece of s*.
@@PefectPiePlace2 duckduckgo is google search engine except it removes some manipulation.
If you want a real search engine use Yaccy.
@@HamguyBacon yaccy? Hmmmm
"Imagine trying to remember the phone number for every one of your friends, that doesn't make sense"
Ya know, I hear that people used to do this in the long long ago...
I love the fact that you can distinguish between politicians and people. We all know that Putin is crazy for doing this shit, but you care of your Russian viewers, because in the end, they are just regular people like any of us.
@agapp11able Donbas annexation could have been understandable. But full war, and even threatening of using nuclear weapons is not reasonable. The whole world thought he was smart enough to choose other _smarter_ ways to protect his power. Hopefully, he goes back to being reasonable.
@agapp11able "the Ukranian president threatened to build a nuke and fire it into Russia"
According to who? Russia?
Edit: Ah, yes, Rossa Primavera discussing the "liberation" of Ukraine. The most trustworthy of sources.
@agapp11able And rather conveniently, since TH-cam's automod deletes links now, you have literally no way of providing an actual source beyond "trust me, bro".
@@hezu_vt You can’t go back to reasonable from that.
Great information and advice.
Install another copy of Firefox, if you have regular Firefox already you can get Beta, Developer Edition or Nightly, install certificate, now you can chose if you want to get mitm by NSA or KGB. And if you think that NSA doesn't have keys from all the western CAs I got a bridge to sell you.
Or just take the portable version
I know right? Everything is so messed up on the way it's set up it's insane. I'm sure there are methods on encrypting packets without having a massive eye surveiling you but they are purposefully not implemented.
mental outlaw thank you
not even mental outlaw seems to be aware of the simple, yet effective wonder that is DANE, it would solve all of these problems, as long as 1) the entire DNS system supports DNSSEC (and has it enabled), and 2) the government isn't tampering with their dns root server (which is highly unlikely and would only allow targetting specific sites, one at a time, unless they wanna destroy their entire internet)
DANE got killed hard under mysterious circumstances, the likelihood of it ending up in browsers is practically nil these days.
DANE does not really solve that problem. DNSSEC leaves one big hole: You have to trust your DNS server. It can just lie to you and set the AD bit, even if signatures were not checked or incorrect. DANE records therefore can’t be trusted 100% either
@@stevemeier2852 DNSSEC is designed to protect against DNS poisoning, since the DNS records are signed by the domain holder
as more and more clients support DNSSEC by default DANE will become more and more useful
even if you were using a malicious DNS server then DNSSEC will save you, there's a reason why DNS servers that block ads, trackers and malware fail DNSSEC checks client side.
thanks for info!
The World Wide Web was born at the end of the 20th century, but I am starting to doubt it will survive the 21st 😔
All that needs to happen is the major vendors remove trust for the new russian authority, then will be no different to a self signed.
Morale of the story: CAs are another political weapon, just like the rest of Big Tech.
Good for them.