MITMing TLS requires either (1) a falsely issued certificate, which would be "a big deal" when (not if) found and would lead to the issuer losing their status as accepted in browsers, or (2) the user to install a certificate generated by the person doing the MITM, this is often done in corporate environments.
> Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor. A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites.
Are we sure that there won't be an exception installed to this in favor of broadband providers, considering the paths already taken?
Terms and conditions of this comment: This comment is provided for free to <https://news.ycombinator.com> AKA "Hacker News", including any redistribution to be considered under the clause of fair use. Any other redistribution, including injection of third party content or surrounding content, chrome, or any other HTML element(s), be it in static or generated code, is considered a violation of the terms of this contribution.
Your browser and OS quickly delist any certificate found to have forged a certificate for a website they don't own. They're unapologetic about it too - and don't care who they piss off.
However, browsers have played along with US legislation previously. (E.g., when long key encryption was restricted to US versions only.) I'm not sure, if Mozilla would be playing along nowadays, but you can't be too sure, either. Moreover, you could consider certificates installed by antivirus software as some kind of prior art to this. (While considered a security risk, at least by some, they are not delisted.)
