top | item 23355601

(no title)

thr0w3345 | 5 years ago

But that would only allow them to sign new certs, CA’s don’t get the private keys only the public part to sign... Or did I misunderstand you?

discuss

bootloop|5 years ago

That's correct. To sniff traffic without replacing the certificate with one of their own they would need the the private key which was used in a session. (That key might have been derrived from the server private key, but again nothing the CA has access to.)