I was thinking of part that says "Man-in-the-middle attacks with TLS"
The Chinese National Intelligence Law theoretically allows the Chinese government to request and use the root certificate from any Chinese certificate authority,[55] such as CNNIC, to make MITM attacks with valid certificates.
Multiple TLS incidents have occurred within the last decade, before the creation of the law.
On 26 January 2013, the GitHub SSL certificate was replaced with a self-signed certificate in China by the GFW.[56]
On 20 October 2014, the iCloud SSL certificate was replaced with a self-signed certificate in China.[57] It is believed that the Chinese government discovered a vulnerability on Apple devices and was exploiting it.[58]
On 20 March 2015, Google detected valid certificates for Google signed by CNNIC in Egypt. In response to this event, and after a deeper investigation, the CNNIC certificate was removed by some browsers.[59] Due to the removal being based on proof and not suspicion, no other Chinese certificate authority has been removed from web browsers, and some have been added since then.[60]
This type of attack can be circumvented by websites implementing Certificate Transparency and OCSP stapling or by using browser extensions.[61]
The Chinese National Intelligence Law theoretically allows the Chinese government to request and use the root certificate from any Chinese certificate authority,[55] such as CNNIC, to make MITM attacks with valid certificates.
Multiple TLS incidents have occurred within the last decade, before the creation of the law.
On 26 January 2013, the GitHub SSL certificate was replaced with a self-signed certificate in China by the GFW.[56]
On 20 October 2014, the iCloud SSL certificate was replaced with a self-signed certificate in China.[57] It is believed that the Chinese government discovered a vulnerability on Apple devices and was exploiting it.[58]
On 20 March 2015, Google detected valid certificates for Google signed by CNNIC in Egypt. In response to this event, and after a deeper investigation, the CNNIC certificate was removed by some browsers.[59] Due to the removal being based on proof and not suspicion, no other Chinese certificate authority has been removed from web browsers, and some have been added since then.[60]
This type of attack can be circumvented by websites implementing Certificate Transparency and OCSP stapling or by using browser extensions.[61]