Blocking HTTPS would be frighteningly hilarious. My employer is one of thousands of websites that utilizes HSTS, which tells web browsers to use HTTPS. Our implementation of HSTS, like lots of banks etc. is also listed with HSTSpreload, which means browsers like chrome will only ever use HTTPS with our site.
I seriously doubt Chrome or Firefox would ever be coerced into trusting a cert like that. If they did then you would see a very rapid shift away from those browsers to one or more of the open source alternatives.
And any CA that issued such a cert that allowed for wholesale MITM access like that would be blacklisted by all the browsers very quickly as well. That would put the CA out of business very quickly.
Blocking HTTPS would be frighteningly hilarious. My employer is one of thousands of websites that utilizes HSTS, which tells web browsers to use HTTPS. Our implementation of HSTS, like lots of banks etc. is also listed with HSTSpreload, which means browsers like chrome will only ever use HTTPS with our site.
What if they just do MITM with a Trusted root? Does HSTS provide a method to do cert pinning?
HSTS just enforces HTTPS over HTTP.
I seriously doubt Chrome or Firefox would ever be coerced into trusting a cert like that. If they did then you would see a very rapid shift away from those browsers to one or more of the open source alternatives.
And any CA that issued such a cert that allowed for wholesale MITM access like that would be blacklisted by all the browsers very quickly as well. That would put the CA out of business very quickly.