> Certificate pinning would only help if the certificate the government is presenting matched the site's URL.
And what prevents the government from doing that? Certificate pinning will address MITM no matter what - if the certificate the browser receives is not the one it pinned, it will refuse to connect even if the cert was signed by another trusted authority.
Although it's unclear from the article as to what really is happening - is it that Apple trusts whatever Chinese CA is used to forge the certificate for iCloud.com but others like Mozilla and Google don't? In any case I don't see how pinning won't help here.
No, nobody trusts this certificate - it I'd identical to the one you generate yourself with OpenSSL. Certificate pinning would be nice but its simply not the issue or fix at hand here...
If China were to misuse the root I believe their academics dept has, it would be instantly banned. There was a bugzilla bug about removing it @ Mozilla and a LOT of people supported it, but it won't be removed unless there is abuse.
And what prevents the government from doing that? Certificate pinning will address MITM no matter what - if the certificate the browser receives is not the one it pinned, it will refuse to connect even if the cert was signed by another trusted authority.
Although it's unclear from the article as to what really is happening - is it that Apple trusts whatever Chinese CA is used to forge the certificate for iCloud.com but others like Mozilla and Google don't? In any case I don't see how pinning won't help here.