Combine this with exploits into one or more broadly trusted certificate authorities (which surely exist) and it's pretty amazing how much data China would have been able to obtain.<p>Every time I bring up the following point someone chimes in that it's a bad idea, but I still fail to understand why it's not easy to pick which CAs I want to trust by picking a list of entities/people I trust and then adopting their recommendations for which CAs to trust.<p>This would be a few clicks of UI to let me be intelligently paranoid while maintaining only a layperson's understanding of why (say) Bruce Schneier decides to trust some and not others.
I'm continually amazed at how insecure almost every aspect of internet routing is - it mostly boils down to a sort of "gentlemen's agreement" that everybody will follow the rules.
CT and Chinese ISPs have been hijacking user traffic for decades, profiting off of it by selling traffic dump to data exploiting companies, insert ads in webpages, steal social media tokens (for follower boosting and ads retweeting).<p>I've found China Unicom openly hawking their data mining products. <a href="https://imgur.com/a/uNxA50K" rel="nofollow">https://imgur.com/a/uNxA50K</a>
This is one of the reasons TLS/SSL and crypto is so amazingly important.<p>Go ahead, monkey around with BGP, since I have the public key of the recipient of my packets I can detect this and block any type of misdirection.
OK, so I'm sitting here, posting to HN in Firefox. And if I like, I can open a terminal and run something like:<p><pre><code> traceroute news.ycombinator.com | grep -f chinese-ipv4 -f chinese-hosts
</code></pre>
And indeed, there could be a Firefox extension that did that, right? So at least, users would know.
Tangent, but are traceroutes spoofable (barring timing differences), or would they break too many other things to be practical? I'm wondering if anyone might do that to hide their tracks.