Thank you for the lecture on downvotes. You are 100% wrong because we are discussing the presence of the private key. Your scenario imagines an intelligent proxy that interacts with China intelligently. In that scenario the private key remains on the end user machine to enable low latency as you describe. The upthread poster presented the scenario wherein the key is not distributed on end user machines for security reasons, but that then means the key must live on the theoretical server in China (otherwise how else would you encrypt a connection against your certificate), which would require passing the entire TLS connection through that server to perform the MITM.
This subthread is about private key distribution. It's really poor form for you to react to being downvoted (as legitimately wrong) by lengthening your comment by a factor of 5 and lecturing people about downvotes.
No, you don't need to pass the TLS connection to China to perform an MITM. Superfish would generate a cert at installation time, unique to the specific user that was being targeted. The channel back to China would be protected by TLS too, but it wouldn't be MITM'able by anyone except Superfish HQ, unless they lose their private key.
I disagree that it's poor form to react to downvotes when they're wholly unjustified. Maybe I did a bad job explaining myself. In that case, I should explain myself better. That's a positive thing, not a negative. Reddit has this stupid trope like "Complaining about downvotes? That's a paddlin'." Which if you think about it just a self-reinforcing culture of bandwagoning. But I imagine that this is now entirely offtopic and boring, so let's focus on the tech.
Again, irrelevant. This thread isn't "sillysaurus3 imagines how he would implement the perfect proxy," it's correcting an assumption about the actual existing proxy. I suggest if you want to pursue your off topic study of how to implement a proxy that doesn't introduce latency while performing the functionality, you do it elsewhere.
You should also read the HN guidelines before explaining downvote etiquette to me, because they will surprise you, apparently.
Why should I do it elsewhere? This is a thread about an interesting tech topic, and maybe some people might find that aspect interesting. This is the last comment I'm going to write to you because this is now wholly uninteresting to readers. I'll never understand this mindset of "Oh, well, there might be a misunderstanding here, but rather than clarify it calmly and rationally, I'll take this as a license to be angry and mean."
Who cares if someone thought that the proxy was going to work like X, but it turned out to work like Y? What matters is that if it can work like Z, then Z should be pointed out, especially if it enables some interesting aspect that people previously hadn't noticed. Anyway, you've successfully killed the fun of HN for me for the day, so see you later.
It says a lot about you that you think a calm explanation of your downvotes, as you are plainly in hysterics over them, is me being angry and mean. I meant elsewhere in the thread. You corrected someone who was correcting someone else, and you were wrong about the spirit of your correction. I was calmly suggesting that if you want to think through such a hypothetical you shouldn't do it as a misplaced correction.
You really need to unplug for a bit. I'm dead serious.
This subthread is about private key distribution. It's really poor form for you to react to being downvoted (as legitimately wrong) by lengthening your comment by a factor of 5 and lecturing people about downvotes.