Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Mozilla The Internet Government Network Security Your Rights Online

Mozilla Is Considering Revoking TeliaSonera Trust For Sales To Dictators 123

Posted by Soulskill
from the trust-must-be-deserved dept.
ndogg writes "Mozilla is considering pulling TeliaSonera from its list of root certificate SSL providers. They have asked for comments on this on their mailing list. They're concerned about the use of the certificates by those governments for spying on its citizens, particularly in Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan — where TeliaSonera operates subsidiaries or is heavily invested. Mozilla's concern is that TeliaSonera has possibly issued certificates that allow hardline government servers to masquerade as legitimate websites — so-called man-in-the-middle attacks — and decrypt web traffic. This alleged activity would contradict Mozilla's policy against 'knowingly issuing certificates without the knowledge of the entities whose information is referenced in the certificates.'"
This discussion has been archived. No new comments can be posted.

Mozilla Is Considering Revoking TeliaSonera Trust For Sales To Dictators

Comments Filter:
  • by Anonymous Coward on Tuesday April 16, 2013 @05:07PM (#43466885)

    Instead of trusting any of these companies (they'll sell to the US government as well, I'm sure), why not switch to Convergence [wikipedia.org]? It reduces the need to trust companies like this.

    Mozilla (and Google, and other browser makers) should include it by default in all their products (even if turned off) to make it easier for people to switch away from centralised systems. Viva le revolucion.

    • by crow (16139) on Tuesday April 16, 2013 @05:45PM (#43467213) Homepage Journal

      I'm not particularly impressed with Convergence in particular. What seems to make the most sense is to self-publish SSL certificates using DNSSEC.

      • now this... this seems like something I'd be interested in reading about. Is there some real discussion about this, or did you come up with it yourself? (It's not a bad idea at all at first blush)

        • by Anonymous Coward

          http://tools.ietf.org/html/rfc6698
          http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities

          In short, it's very new and no browser has serious support for it. Except maybe the Chromium dev channel.
          https://wiki.mozilla.org/Security/DNSSEC-TLS-details#Google_Chrome

      • by Znork (31774)

        I don't quite get how DNSSEC will solve anything, doesn't DNSSEC use trust anchors that can be just as comprimized as the current SSL 'trust'?

        Or is there some special extra trustworthiness that makes the root signers more immune to coercion or trickery?

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          Proper DNSSEC uses a single trust anchor for the root "." that can validate the delegated registries (com., net., uk., fr.). DLV registries were a hack until the root zone got signed, which has now happened.

          For DNSSEC to work you need to validate the responses of signed zones and you need to trust their corresponding registries (for .com Verisign). The person signs their zone (example.com) and pushes their public key up to Verisign in the form of DS record. The registry can remove the public key, causing th

        • It's not some entity other than the one who's already directing you to the website. Presumably if it were easier to redirect at the DNS level as opposed to MITMing and getting a fake certificate, people would be doing that instead. It also makes any compromise much more visible and reduces the number of people you need to trust absolutely.

          • I partly agree, but there are problems with just trusting DNSSEC.

            In the current situation, to impersonate a SSL protected site you need to MITM in some way (e..g DNS spoofing), and get a valid certificate for the domain. So you have to at least attack two different security measures (even if MITM is simple for some entities).

            If certificate info is published in DNSSEC you need to compromise only one place to achieve both MITM and add fake certificates. Sure it might be harder, but if this method was used, I

    • A great feature of Convergence is the ability to have multiple signatures. HTTPS needs this too. Imagine the current scenario where gmail regularly has 25 signors on its certificate and then one day there is only one. With something like EFF's HTTPS Everywhere SSL Observatory, this could be flagged.

      But, switching TLS signing to PGP is a big deal and not backwards compatible. What I'd like to see (somebody else do this so I don't have to) would be an extension that would allow multiple certificates to be

  • by Anonymous Coward on Tuesday April 16, 2013 @05:13PM (#43466949)

    Mozilla still includes all kinds of questionable cert authorities. Once I learned that, I had to go through my default Firefox installs and remove all the ones by Chinese government arms and similar.

    Why single out these countries? I will never need a cert signed by a foreign government - ANY foreign government. There are probably only about 5% of authorities I actually might trust included in Firefox. The rest are illegitimate for 99% of users.

    • by interval1066 (668936) on Tuesday April 16, 2013 @05:18PM (#43466979) Homepage Journal

      I will never need a cert signed by a foreign government - ANY foreign government.

      I'm having a hard time with trusting domestic governments as well.

    • Mozilla still includes all kinds of questionable cert authorities.

      Oh yes? Please list them and link to a certificate provided by one of them which has been issued without the permission of the party it has reputedly been issued to. Specifics please. This is the criteria, more or less the only criteria, which makes a cert authority questionable. Otherwise you are just (correctly) questioning the CA system which doesn't do what you think it does.

    • by Krenair (2501522)
      So how would you propose that be fixed? I'm not sure it'd be a good idea to distribute hundreds of different copies of Firefox each with a different set of root certificates for the correct country.
  • As to sell services to dictatorships?! Of course not!

    But those Swedes (and Fines == Swedes in disguise... Or it's vice versa?) they are capable of anything. Just remember that Finish (his mother's tongue is Swedish, ha!) guy who invented Linux, and you will understand what they are capable of!

    Mozilla, please stop them!

  • Good to see (Score:5, Interesting)

    by starfishsystems (834319) on Tuesday April 16, 2013 @05:45PM (#43467205) Homepage
    It's good to see browser maintainers recognizing that the browser is an essential - albeit uncertified - part of HTTPS authentication.

    The preinstalled root certs have enormous leverage. If the validation of certificate requests performed by CAs is a known weak link in X.509, how much more so the point where those CAs are designated as trusted?

    Thanks to the efforts of Mozilla, among others, we have a much more diverse browser ecosystem than even a few years ago. To some extent at least, the free market can decide which browser to use. I know that I'm more inclined to use a product that is squarely on the side of human rights than one which can be used as an instrument of oppression. And these difficult questions of policy and enforcement provide a chance for Mozilla to distinguish itself, which I think it's doing very ably.
    • Brazil. [mozilla.org] So this kind of action is a natural extension of that.

    • I know that I'm more inclined to use a product that is squarely on the side of human rights than one which can be used as an instrument of oppression.

      Then you may want to consider not using Mozilla. They're talking about pulling the certificate authority of a half dozen smaller countries on the suspicion that it has cooperated with those governments' lawful requests to monitor their citizens internet access. Or as it is called on slashdot, "spying." But here's the thing: There's no proof. It's just a suspicion... and it's a suspicion based on guilt by association no less.

      So Mozilla is proposing forcing some of the people in these countries to use insecur

      • The willingness to hear about suspicions is a necessary part of gathering evidence, it's not a final assessment of evidence. "Talking about" doing something is a necessary part of due process, it's not the final outcome. If you don't understand these basic distinctions already, please give them some thought,

        Speaking of weighing evidence, can you be a little more specific than a vague reference to "half a dozen smaller countries"? It's not possible to take such claims seriously. They certainly don't co
        • Speaking of weighing evidence, can you be a little more specific than a vague reference to "half a dozen smaller countries"? It's not possible to take such claims seriously. They certainly don't constitute grounds to think less of Mozilla, but they do raise doubts about you if this is your best way of establishing credibility. (And no, you can't date my daughter either, in case you were wondering. You're definitely not in her league.)

          From the summary of the article: "Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan". And no, I wouldn't want to date your daughter, if she's got a personality anything like yours though, I can well imagine your desperation to find her someone.

      • by ftobin (48814) *

        I don't see how people are being forced to use insecure communications. Websites can choose to get certificates from wherever they want. All this does is take out one of the certificate providers.

        • by idontgno (624372)

          Which is likely to be the source of trusted certificates for locally-provisioned HTTPS. Sure, no one's hijacking connections to US sites, but a local-language and locally-sited Google or Facebook or Twitter could be fair game.

  • by ivrogne (2498422) on Tuesday April 16, 2013 @05:48PM (#43467245)

    Why doesn't everyone use SRP [wikipedia.org] instead?
    - User proves it has password without divulging any data.
    - Man in the middle obtains zero information.
    - Generates encryption key for rest of the connection.

    • by Anonymous Coward
      In order to prevent active attacks, you need something to base the trust off of. In SSL, CAs are used, which is quite questionable because there's a lot of them with lots of different possible influences. In SRP, a shared secret (in the form of a password entered by the user) is used. That requires (1) somehow prearranging a shared secret and a related (2) a way of handling the user losing that shared secret. It seems like a good idea for applications like banking where you have a pre-existing relationship
  • by Anonymous Coward

    Presumably 99.9999% of US Government certs are in .mil and .gov, and 99.99999% of chinese-government-puppet certs are in CN, etc.

    Seems to me that the exposure could be enormously narrowed by scoping all of the obscure CAs to the one or two TLDs where they are most commonly used.

  • Interesting discussion on the Mozilla forum. In light of the information so far, it seems like it would be difficult for Mozilla to keep TeliaSonera as trusted and not lose face. It will be interesting to see what kind of implications this has going forward in regards to dealing with other CAs that have practices or relationships that might fall into the similar shady areas as TeliaSonera. There are some forum posts mentioning that maybe Cybertrust (acquired by Verizon - known for participating in surve
  • If there are Authorities you do not need in the browser list, how do you choose which ones to untrust? What if you only use https with a few sites, should you just look at the information and whitelist only those?

    • Firefox works from a list thats different than Chrome. I assume that there is another list again for people writing software for https connections. Maybe thats why I see the ssl libraries updating on my machine? If this is broken, then why is there not software available to "tune it" or test it so that it can be made to work?
      Can the web server see what Cert you used? Can they tell that a fake cert was used? Maybe it should draw a warning on your pages that the cert authority had no business issuin

  • ... That rules out Obama...
  • by X.25 (255792) on Wednesday April 17, 2013 @12:45AM (#43469677)

    I mean, they've been issuing intermediate CA certs to various 'friendly' governments and agencies, to support MITM (for 'lawful interceptions' only, of course).

    Will Mozilla remove them too, since they seem to be breaching that same policy?

    • 4 words:

      Too big to fail.

      Apparently if verisign is delisted, the internet stops working as expected.

      Which really means the internet is broken and needs to be fixed. Maybe delisting all the security signers and starting from scratch (web of trust, etc.) is a good thing...

  • Since I'm supporting an application that uses TeliaSonera certificates on the web server.

    And changing to another certificate is probably not on the map since it runs at TeliaSonera.

    • If they follow through with it, and if the other browser makers follow them, then you won't have to worry about it.

      A CA's business is all based on trust. As soon as they're known to be untrustworthy then they're dead. Well, for any commerce or banking site at least. I expect the governments to still use them though. Even being suspect is enough to drive business away.

      What we need is browsers pushing DNSSEC. Users are trained to look for the green padlock. If you display it as say yellow for a secure s

  • by stenvar (2789879) on Wednesday April 17, 2013 @02:50AM (#43470069)

    US, Canadian and European governments also spy on their citizens. So Mozilla now needs to determine whose spying is good and whose spying is bad. I'm not sure that's a business that Mozilla should be in.

    Perhaps a better solution would be to make it easier and more user friendly for people to detect questionable certificates and choose which certificates you trust. But, of course, that would upset Western governments...

Old programmers never die, they just branch to a new address.

Working...