Mozilla Is Considering Revoking TeliaSonera Trust For Sales To Dictators 123
ndogg writes "Mozilla is considering pulling TeliaSonera from its list of root certificate SSL providers. They have asked for comments on this on their mailing list. They're concerned about the use of the certificates by those governments for spying on its citizens, particularly in Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan — where TeliaSonera operates subsidiaries or is heavily invested. Mozilla's concern is that TeliaSonera has possibly issued certificates that allow hardline government servers to masquerade as legitimate websites — so-called man-in-the-middle attacks — and decrypt web traffic. This alleged activity would contradict Mozilla's policy against 'knowingly issuing certificates without the knowledge of the entities whose information is referenced in the certificates.'"
Re: (Score:2)
Re:Mozilla Corporation - Fighting for Freedom agai (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Not quite clear what you are reccommending here.
FWIW, I don't thing ANY of the certificate issuing authorities are trustworthy. This doesn't mean that some aren't worse then others, and it might make sense to revoke the trust you have given to some of the worst actors, if you can do so without TOO much cost to yourself. If nothing else it would ensure that the infrastructure is in place to do the revokation. And it would encourage the weaker authorities to avoid being excessively vile.
The down side is th
Re: (Score:2)
Lets put it this way. Already the US security agencies have access, and is actively using it, to google/facebook/twitter and so on information, no need to get into the encrypted communication. But what about other sites, specially the ones not hosted in US but that could use certificates to encrypt communication? If don't have already pretty broad (i.e. to *.com) or reissued certificates, will start to ask for them pretty soon.
In the other hand, not trusting any certificates from any US based company will
Re:Mozilla Corporation - Fighting for Freedom agai (Score:4, Interesting)
It's flawed in that it only remembers one cert per domain for comparison and nowadays for whatever reasons companies like facebook and Google often use different certs signed by different CAs for the same domains and spread the load/connections amongst them. So you can get more warning prompts than you'd want.
This doesn't mean the concept is broken though, just that Certificate Patrol's particular implementation has room for improvement.
The desired case is, if at home you decide that the different certs you get from gmail or facebook are OK (and told the plugin to ignore them), then go to some foreign country and suddenly you get certs that are signed by TeliaSonera, you'd get a warning message and you'd know that something was up and choose not to login.
Same goes for logging in to your bank/corporate site while on a business trip to China. If the cert changes unexpectedly - from being signed by say Equifax to being signed by CNNIC, you should get a warning too.
Re: (Score:3)
Comment removed (Score:5, Insightful)
Re:Mozilla Corporation - Fighting for Freedom agai (Score:5, Insightful)
Strange. Almost everyone who has issues with the corruption found in American politics is labeled as a "communist".
And, if my wealth, relative to that of the rest of the world, depends on a subservient Latin America - well, I don't need or want it.
Re: (Score:2, Insightful)
Smedley Butler was, if not an outright Communist, at least a fellow traveller. His views on American's wars of the era are therefore tainted by the particular ideology that gripped him at that time, and he was not a dispassionate commentator.
Hahaha. Are you actually using this as an argument?
Wow.
Re: (Score:2, Insightful)
"As nasty and corrupt as..." ... China under Mao? Venezuela under Chavez? Cuba under Castro? The USSR under Lenin and Stalin? Cambodia under Pol Pot? The NPRK under the various Kims? Zimbabwe under Mugabe? Zaire/the Congo under Mobutu?
Care to revise your bullshit story?
For all of America's, the American government's, and its leaders' flaws - and of course they are many (and one wonders how your life would stand up upon the withering criticism and examination that the life of a President, for example,
Mod parent up (Score:1)
A rare voice of reason in a sea of anti-American populists milking the current fad.
Re: (Score:2)
I don't understand what you mean. I was referring to the way it seems popular to villify the U.S. nowadays, ignoring the good things the U.S. has done and continues to do. Yes, Eisenhower spoke about that, and he may have been right.
But I think you missed the GP's point. It's easy to criticize the status quo, because it's far, far from perfect, just, or fair. The problem is that there is no viable alternative. Communism and socialism and fascism all failed, because they are rotten at their core. Capit
Re: (Score:1, Insightful)
Re: Mozilla Corporation - Fighting for Freedom aga (Score:2)
Oh I noticed you didn't have the balls to have a UID, kinda sad when you don't even have the balls to stand behind your bullshit
As opposed to Mr. Hairyfeet of 4 Riverside Drive, Boston who risks his political career whenever he posts?
Yeah it's more credible when there's a tag associated, but it's not taking balls to log in and create an account. I could post any amount of heinous shit myself and walk away with my life working just perfectly.
Re: (Score:2)
Don't get excited. It's the address of a hotel.
Re:Mozilla Corporation - Fighting for Freedom agai (Score:5, Insightful)
Re: (Score:1)
Re: (Score:3)
But that was not what we were discussing. You said that the US government was "as nasty and corrupt as the rest", the AC pointed out some examples that he felt was worse while acknowledging that the US did have its own problem, and you interpreted that as giving the US a free pass. I pointed out that that was not what the AC said, and you have now accused ME of saying everything
Re: (Score:2)
[...] original comment said "Frankly the US government is just as nasty and corrupt as the rest[...]", against which examples of other, worse regimes is a quite effective argument.
Let's deconstruct that argument, shall we?
The AC gave a list of 8 regimes, with three of the examples constituting of dead ex-leaders.
So, considering regimes ranging from 1917 (Example #4: USSR under Lenin) until today, given that we currently have over 200 countries and the tumultuous nature of the past century, a conservative estimate would be at least twice that number of distinct "regimes". I'm not a political historian, so I'll just take 400 as my estimate (feel free to correct me with hard data).
8 of
Re: (Score:2, Offtopic)
The 58,000 of you are nothing compared to the 400,000 civilians killed in a war that you had to use a false flag operation to start. What about them? What about the ongoing effects of what you left behind? My wife's cousin not only can't speak but has no concept of language because of the dioxins in the food chain. It really makes my blood boil when I see shit in the media that ignores the cost to Vietnam while making a big deal over the loss of American or Australian lives, or the effects of agent oran
Re: (Score:2)
According to Michael Moore, Cuba has the best medical care in the world. Just ask Hugo Chavez.
No. The US has the best medical care in the world. Just ask Michael Jackson.
Re: (Score:2)
"As nasty and corrupt as..." ... China under Mao? Venezuela under Chavez? Cuba under Castro? The USSR under Lenin and Stalin? Cambodia under Pol Pot? The NPRK under the various Kims? Zimbabwe under Mugabe? Zaire/the Congo under Mobutu?
Care to revise your bullshit story?
For all of America's, the American government's, and its leaders' flaws - and of course they are many (and one wonders how your life would stand up upon the withering criticism and examination that the life of a President, for example, gets) - I believe very few of our leaders have ever had a genuine desire to harm people nor have they harbored a profound megalomania. Ego - of course; megalomania - no. Sure, go ahead and despise a President because of their ideological orientation that you disagree with but the notion of the Chomskyites, this strange Kool-Aid they like to guzzle, being fed doses of pablum about "American Imperialism" and the "Military-Industrial Complex" and railing endlessly about the "Evils of Capitalism" yet enjoying its countless benefits (you know, like jobs, homes, clothes, electronics, computers, global air travel, and this weird little thing called the Internet), never proffering a meaningful let alone viable alternative, I am convinced is one of the luxuries provided by the American model of capitalism and Constitutional governance. Trust me if you were to write what you wrote about Mugabe your flesh-burned and -torn body (they wouldn't spend a bullet on you, lest they lose out on a good opportunity to torture you first) would soon be found on the roadside somewhere.
And, if you despise America, think it hopelessly corrupt and nasty "as the rest" then why not leave it for greener pastures? Maybe some other country has it figured out better than we do? According to Michael Moore, Cuba has the best medical care in the world. Just ask Hugo Chavez.
You are probably under 30, since it would appear you don't understand what USA was 30+ years ago and why people see USA as horribly horribly corrupt country.
But of course, your short life experience and Wikipedia make you competent to bleath about anything you wish.
Re: (Score:2)
OK, what's so different about the US nowadays? US involvement in Iraq and Vietnam seems rather similar to me - authorization gained by deceit, winning all the battles but still floundering, lasting longer than WWII did (assuming the common 1939 start date), hurting a lot of innocent civilians. Slightly earlier, anti-communist witch hunts had been the demonization of the day, and during the Vietnam War the FBI infiltrated a lot of peaceful anti-war groups in an attempt to discredit them. I think I unders
Re: (Score:2)
I believe very few of our leaders have ever had a genuine desire to harm people nor have they harbored a profound megalomania. Ego - of course; megalomania - no.
What is, Manifest Destiny's Child.
I'll take ironic idiots for $1000, Alex.
Re: (Score:2, Insightful)
ok troll, i will bite it!
what, homeland security, FBI, NSA are angels?
The countless US invasions, the protection of dictators like Noriega, Pinochet and even Saddam just because (at their opinion its the less of two evils), the support of Islamic groups like the Taliban, etc, etc. Even today, with the CIA torture jails, Halliburton corruption, wall street and banks frauds show that you have nastiness and corruption all over the top US government and companies.
Probably the US is directly and indirectly respo
Re: (Score:2)
"As nasty and corrupt as..." ... China under Mao? Venezuela under Chavez? Cuba under Castro? The USSR under Lenin and Stalin? Cambodia under Pol Pot? The NPRK under the various Kims? Zimbabwe under Mugabe? Zaire/the Congo under Mobutu?
Are you trying to say that, if we rank all regimes in modern history by their level of corruption, the current US one would be in, what, 9th place?
OK, correction accepted.
Re: (Score:2)
Re:Mozilla Corporation - Fighting for Freedom agai (Score:5, Insightful)
The whole point of certificates and SSL is to protect communications between the browser and the web server. It's not "to protect communications from everyone except the government". It's to protect it from EVERYONE - including (and sometimes especially) the government.
Re: (Score:1)
There most certainly is a "good or bad" - your own assertion that every government in the world is corrupt supports that, in fact. I have no idea why you went on the anti-US rant there, but whatever.
The issue to discuss is the difficult position that Mozilla finds itself in now: an intentional and self-imposed obligation to act when cert authorities are compromised coupled with the unintended consequence of now having to decide if a Sovereign nation, acting legally within its own jurisdiction, constitutes a
Re: (Score:2, Redundant)
I like the US forcing its American Way on others, insofar as it means freedom.
Unless you are gay and want to marry.
Want your children to learn real science in school and not pseudo-babble based on superstition.
Want to earn a living without the state confiscating some of it from you.
None of that indicates the US is pro-freedom.
Re: (Score:2)
Unless you are gay and want to marry.
There are many places in America where gays can marry, and more states are considering it. We are moving in the right direction.
Want your children to learn real science in school and not pseudo-babble based on superstition.
Creationists and IDers have repeatedly been smacked down by the courts.
Want to earn a living without the state confiscating some of it from you.
American taxes are among the developed world's lowest.
None of that indicates the US is pro-freedom.
Would you care to name someplace better?
Re: (Score:2)
Unless you are gay and want to marry.
There are many places in America where gays can marry, and more states are considering it. We are moving in the right direction.
It's hardly a country that loves freedom if it regulates people's personal lives like this.
Want to earn a living without the state confiscating some of it from you.
American taxes are among the developed world's lowest.
And yet those taxes are still there. How can the US be pro freedom if it actively harms people by confiscating property off them using a threat of force?
None of that indicates the US is pro-freedom.
Would you care to name someplace better?
I can't - but that doesn't mean (in any way at all) that the US is the bastian of freedom. It's not. Your government removes and dilutes your freedoms far too much.
Re: (Score:3)
It's hardly a country that loves freedom if it regulates people's personal lives like this.
It's a federal country. You have the freedom to leave a state that doesn't respect your freedom for one that does.
How can the US be pro freedom if it actively harms people by confiscating property off them using a threat of force?
Without taxation, there is no way to fund a court or police force. Without those, there is no way to enforce the laws against a private citizen using force or fraud to coerce another private citizen. Or what am I missing?
Re: (Score:2)
It's hardly a country that loves freedom if it regulates people's personal lives like this.
It's a federal country. You have the freedom to leave a state that doesn't respect your freedom for one that does.
So you're saying that the US is pro-freedom, except for when it's not and in those cases you can go and live somewhere else?
How can the US be pro freedom if it actively harms people by confiscating property off them using a threat of force?
Without taxation, there is no way to fund a court or police force.
There are other ways of raising funds without resorting to extortion. Donations and lotteries come to mind.
Without those, there is no way to enforce the laws against a private citizen using force or fraud to coerce another private citizen. Or what am I missing?
You're missing the fact that in order to prevent one citizen from using force or fraud against another citizen, the state must use force and fraud against all citizens.
If their goal is to protect people from the initiation of force then they lost immediately when they fund it via
Re:Mozilla Corporation - Fighting for Freedom agai (Score:5, Insightful)
First, this is coming from a die hard libertarian.
You do realize that the idea of taxes is to pay for things that everyone uses, but would be infeasible to be run by private entities. This so called extortion you speak of is basically making you pay for that which you use. i.e. not stealing it. Any sane individual has no problem with paying taxes for public services, the disagreement comes into what should be a public service and what should not.
And you're statement on fraud confirms you do not know what fraud is. I may not know everything the government does with the money I give them, but I do know that it's not swindled from me, and I do know what a lot of it goes towards. Fraud would be being told you're paying for one thing, then either not getting it at all, or getting something very different, and worth much less.
And everything is pro-freedom except when it's not. I expect to be free to do what I want, except when it violates the freedoms of other people. I don't expect to have the freedom to get in my car drunk off my ass and drive down the road. That endangers the freedom of other people to exist.
Seriously, are you trolling or just stupid?
You don't sound like Libertarians I know (Score:2)
Here's what I hear all the time from Libertarians I have known.
ALL taxes are evil. Well, OK, maybe it's necessary to pay something just to support the military so China/Russia/whoever won't invade us.
There's NOTHING that the government does that private industry can't do better and cheaper. NOTHING.
Most of the taxes paid are wasted on a bloated government.
If government didn't do anything ex
More force or less force (Score:2)
There are other ways of raising funds without resorting to extortion. Donations and lotteries come to mind.
A lottery is a tax on being bad at math. Where does law enforcement get its funding once people become no longer bad at math?
You're missing the fact that in order to prevent one citizen from using force or fraud against another citizen, the state must use force and fraud against all citizens.
As for force, in this imperfect system of things, it is impossible to reduce total force and fraud to zero. The job of a tax-funded police force is to minimize the use of force. The job of a lot of other tax-funded services is to minimize situations that lead to poverty because desperation to survive is itself known to lead to the use of force. As for fraud, the laws are on the books
Re: (Score:2)
There are other ways of raising funds without resorting to extortion. Donations and lotteries come to mind.
A lottery is a tax on being bad at math. Where does law enforcement get its funding once people become no longer bad at math?
A lottery is not a tax when partaking is voluntary. Other funding mechanisms include charity and user charges.
You're missing the fact that in order to prevent one citizen from using force or fraud against another citizen, the state must use force and fraud against all citizens.
As for force, in this imperfect system of things, it is impossible to reduce total force and fraud to zero. The job of a tax-funded police force is to minimize the use of force. The job of a lot of other tax-funded services is to minimize situations that lead to poverty because desperation to survive is itself known to lead to the use of force. As for fraud, the laws are on the books for all to see. Please explain what you meant by government use of fraud against citizens.
I don't think the state should protect people from themselves or from nature. That's what the community is for, via voluntary means. The state should only protect people from other people.
I consider forcing someone to hand over their money using a threat of force to be a form of fraud. It may not be the best use of the word, but either way it's unethical and should be illegal.
Re: (Score:2)
Other funding mechanisms include charity and user charges.
But everybody is a "user" of being protected from other people, and now we're right back to taxes.
I don't think the state should protect people from themselves or from nature. That's what the community is for, via voluntary means.
So what should a community do with people who refuse to participate? Consider carefully how you choose your answer to this question; otherwise, you're right back to government services.
Re: (Score:2)
Other funding mechanisms include charity and user charges.
But everybody is a "user" of being protected from other people, and now we're right back to taxes.
I would help to fund a police force that protects my neighbour even though my neighbour would not. It's in my best interests to do so.
I don't think the state should protect people from themselves or from nature. That's what the community is for, via voluntary means.
So what should a community do with people who refuse to participate? Consider carefully how you choose your answer to this question; otherwise, you're right back to government services.
So long as those people are not harming other people then they get left alone. But they don't get to use any services that they do not pay for.
Re: (Score:2)
But they don't get to use any services that they do not pay for.
A child cannot afford to pay for anything. Should children whose parents die starve to death?
Re: (Score:2)
But they don't get to use any services that they do not pay for.
A child cannot afford to pay for anything. Should children whose parents die starve to death?
A child would have a guardian. Adults are responsible for children, not feeding them would be tantamount to abusing them. If a child has no parents then someone would adopt that child. There are a lot of people out there that would be willing to do this.
Would you let a child starve? I wouldn't. Freedom is about caring for other people around us, and acting to help them. Not because we are forced to but because it's the right thing to do.
Re: (Score:2)
I would help to fund a police force that protects my neighbour even though my neighbour would not. It's in my best interests to do so. [...] But they don't get to use any services that they do not pay for.
So how should the police determine at a glance who has subscribed and who has not?
Re: (Score:1)
It's hardly a country that loves freedom if it regulates people's personal lives like this.
Balderdash. Anyone can live with whomever he wants and can make whatever kind of promises or agreements he wants with whomever he wants. The government not giving a slip of paper endorsing or verifying their private decisions is not a form of regulating their personal lives--it's the opposite! It's refusing to be involved in it! How much more freedom do you require than lack of involvement?
And yet those taxes are still there. How can the US be pro freedom if it actively harms people by confiscating property off them using a threat of force?
You're being silly. Every nation in the world has taxes, and no nation could exist with zero taxes. Taxes have be
Re: (Score:2)
It's hardly a country that loves freedom if it regulates people's personal lives like this.
Balderdash. Anyone can live with whomever he wants and can make whatever kind of promises or agreements he wants with whomever he wants. The government not giving a slip of paper endorsing or verifying their private decisions is not a form of regulating their personal lives--it's the opposite! It's refusing to be involved in it! How much more freedom do you require than lack of involvement?
Then why all this fuss about gay marriage? Why is bigamy illegal? Laws that criminalise those things restrict personal liberties.
And yet those taxes are still there. How can the US be pro freedom if it actively harms people by confiscating property off them using a threat of force?
You're being silly. Every nation in the world has taxes, and no nation could exist with zero taxes. Taxes have been around as long as death. Your argument is preposterous and irrational.
Just because all nations have taxation does not mean that it is impossible for a nation to exist without it. Just because taxation has been around for a long time doesn't mean it's not an infringement on our liberties.
I can't - but that doesn't mean (in any way at all) that the US is the bastian[sic] of freedom. It's not. Your government removes and dilutes your freedoms far too much.
All governments do--that's their basic function. Only by the vigilance of its citizens does a nation preserve its liberty.
The basic function of government should be to protect people from harm. They shouldn't be the ones doing the harming.
Thankfully, our basic rights which allow us to be vigilant are enshrined in our founding documents, a claim which few nations can make.
Is the US perfect? Hardly. Is it getting worse? Perhaps. Is there any freer nation? No.
But, hey, bashing America is easy and popular, so why not join the mob?
I'm not bashing the USA. I'm bashing all countri
Re: (Score:2)
It's hardly a country that loves freedom if it regulates people's personal lives like this.
Balderdash. Anyone can live with whomever he wants and can make whatever kind of promises or agreements he wants with whomever he wants. The government not giving a slip of paper endorsing or verifying their private decisions is not a form of regulating their personal lives--it's the opposite! It's refusing to be involved in it! How much more freedom do you require than lack of involvement?
Then why all this fuss about gay marriage? Why is bigamy illegal? Laws that criminalise those things restrict personal liberties.
That's a good question. Originally I'm sure it goes back to something like common law or colonial values, i.e. moral values. From a practical standpoint, it probably exists to protect women from men who would marry a woman and then marry another woman, perhaps even secretly; this could go on and on, as he abandons each one for the next. When those laws were written or assumed, women could not as easily suvive independently. It really hasn't been that many years since marriage and family was a basic nece
Re: (Score:1)
Yes your taxes are low because you have poor people living in misery! People who wants to live good, doesn't live in USA, you live in propaganda, in bubble where poor people are to be ignored and not to be taken care of. There are loads of better countries, I am from scandinavia in from our point of view, USA seems more like third word dictatorial country than rich democratic country ... you should try to live somewhere else sometimes ...
Re: (Score:2)
Unless you are gay and want to marry.
There are many places in America where gays can marry, and more states are considering it. We are moving in the right direction.
The same group that pushes for gays to marry also presses the hardest to outlaw polygamy, and 1-on-1 marriage between biological adults. The latter even carries massive prison sentences, and at least brands you for life.
Re: (Score:2)
I like the US forcing its American Way on others...
Your desire to lord over me is not on an equal footing with my desire to be free.
Those two statements contradict each other, especially when "forcing its American Way on others" means an occupying force.
It is about freedom -- of associaton, of speech, of property.
Property is not a natural right.
Re: (Score:2)
More to the point, ownership is not a right that can be defined in the absence of government....and here "government" has to be defined as "use or threat of overriding force".
Note that in this sense social animals have government, so it's broader than the normal use of the term.
For that matter, I equate "natural right" to "evolutionarily stable strategy", which means that it alters with the environment, and isn't something stable. It's also worth remembering that "money" is a government invention (King Cyr
Re: (Score:3)
"There is no good or bad."
You were making sense, until you wrote that bit of drivel. Yes, child, there really IS good, and there really IS bad. I can agree with you that the US government often doesn't know the difference. I can agree that the US government is in no position to be the final arbiter of good and bad. But, there really are evil sumbitches in the world. A significant number of them occupy positions of power.
Re: (Score:2)
Decentralised is the way to go. (Score:4, Insightful)
Instead of trusting any of these companies (they'll sell to the US government as well, I'm sure), why not switch to Convergence [wikipedia.org]? It reduces the need to trust companies like this.
Mozilla (and Google, and other browser makers) should include it by default in all their products (even if turned off) to make it easier for people to switch away from centralised systems. Viva le revolucion.
DNSSEC for certificate distribution (Score:4, Interesting)
I'm not particularly impressed with Convergence in particular. What seems to make the most sense is to self-publish SSL certificates using DNSSEC.
Re: (Score:2)
now this... this seems like something I'd be interested in reading about. Is there some real discussion about this, or did you come up with it yourself? (It's not a bad idea at all at first blush)
Re: (Score:1)
http://tools.ietf.org/html/rfc6698
http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
In short, it's very new and no browser has serious support for it. Except maybe the Chromium dev channel.
https://wiki.mozilla.org/Security/DNSSEC-TLS-details#Google_Chrome
Re: (Score:2)
I don't quite get how DNSSEC will solve anything, doesn't DNSSEC use trust anchors that can be just as comprimized as the current SSL 'trust'?
Or is there some special extra trustworthiness that makes the root signers more immune to coercion or trickery?
Re: (Score:2, Interesting)
Proper DNSSEC uses a single trust anchor for the root "." that can validate the delegated registries (com., net., uk., fr.). DLV registries were a hack until the root zone got signed, which has now happened.
For DNSSEC to work you need to validate the responses of signed zones and you need to trust their corresponding registries (for .com Verisign). The person signs their zone (example.com) and pushes their public key up to Verisign in the form of DS record. The registry can remove the public key, causing th
Re: (Score:3)
It's not some entity other than the one who's already directing you to the website. Presumably if it were easier to redirect at the DNS level as opposed to MITMing and getting a fake certificate, people would be doing that instead. It also makes any compromise much more visible and reduces the number of people you need to trust absolutely.
Re: (Score:1)
I partly agree, but there are problems with just trusting DNSSEC.
In the current situation, to impersonate a SSL protected site you need to MITM in some way (e..g DNS spoofing), and get a valid certificate for the domain. So you have to at least attack two different security measures (even if MITM is simple for some entities).
If certificate info is published in DNSSEC you need to compromise only one place to achieve both MITM and add fake certificates. Sure it might be harder, but if this method was used, I
Re: (Score:3)
A great feature of Convergence is the ability to have multiple signatures. HTTPS needs this too. Imagine the current scenario where gmail regularly has 25 signors on its certificate and then one day there is only one. With something like EFF's HTTPS Everywhere SSL Observatory, this could be flagged.
But, switching TLS signing to PGP is a big deal and not backwards compatible. What I'd like to see (somebody else do this so I don't have to) would be an extension that would allow multiple certificates to be
There are many others. (Score:4, Insightful)
Mozilla still includes all kinds of questionable cert authorities. Once I learned that, I had to go through my default Firefox installs and remove all the ones by Chinese government arms and similar.
Why single out these countries? I will never need a cert signed by a foreign government - ANY foreign government. There are probably only about 5% of authorities I actually might trust included in Firefox. The rest are illegitimate for 99% of users.
Re:There are many others. (Score:5, Insightful)
I will never need a cert signed by a foreign government - ANY foreign government.
I'm having a hard time with trusting domestic governments as well.
Re: (Score:2)
That's a nice idea, but it doesn't really solve the underlying problem. Imagine that you're convinced that TeliaSonera is friendly to governments in Central Asia (as the story seems to imply). So it would make sense to trust them (a lot) to attest government-friendly identities in that region. But it would be silly to trust them (at all) for anything else.
In the end, trust in a CA has context. It's not enough to simply assign a number to convey how much you trust a particular CA; what you're really interest
Re: (Score:2)
While your point has merit, context is a really tricky problem. A weight is something simple and easy...and could be implemented without slowing things down much.
OTOH, I certainly feel that individuals shouls be able to adjust the weights easily.
Question: Should the CA be able to determine whether or not a particular site trusts them? If not, how do you indicate the amount of trust (since you don't want to just block)? Things get complicated quickly.
Re: (Score:3)
Mozilla still includes all kinds of questionable cert authorities.
Oh yes? Please list them and link to a certificate provided by one of them which has been issued without the permission of the party it has reputedly been issued to. Specifics please. This is the criteria, more or less the only criteria, which makes a cert authority questionable. Otherwise you are just (correctly) questioning the CA system which doesn't do what you think it does.
Re: (Score:1)
Surely, no American company would stoop so low... (Score:1)
As to sell services to dictatorships?! Of course not!
But those Swedes (and Fines == Swedes in disguise... Or it's vice versa?) they are capable of anything. Just remember that Finish (his mother's tongue is Swedish, ha!) guy who invented Linux, and you will understand what they are capable of!
Mozilla, please stop them!
Good to see (Score:5, Interesting)
The preinstalled root certs have enormous leverage. If the validation of certificate requests performed by CAs is a known weak link in X.509, how much more so the point where those CAs are designated as trusted?
Thanks to the efforts of Mozilla, among others, we have a much more diverse browser ecosystem than even a few years ago. To some extent at least, the free market can decide which browser to use. I know that I'm more inclined to use a product that is squarely on the side of human rights than one which can be used as an instrument of oppression. And these difficult questions of policy and enforcement provide a chance for Mozilla to distinguish itself, which I think it's doing very ably.
Mozilla supports the Internet Civil Rights Bill in (Score:1)
Brazil. [mozilla.org] So this kind of action is a natural extension of that.
Re: (Score:3)
I know that I'm more inclined to use a product that is squarely on the side of human rights than one which can be used as an instrument of oppression.
Then you may want to consider not using Mozilla. They're talking about pulling the certificate authority of a half dozen smaller countries on the suspicion that it has cooperated with those governments' lawful requests to monitor their citizens internet access. Or as it is called on slashdot, "spying." But here's the thing: There's no proof. It's just a suspicion... and it's a suspicion based on guilt by association no less.
So Mozilla is proposing forcing some of the people in these countries to use insecur
Re: (Score:2)
Speaking of weighing evidence, can you be a little more specific than a vague reference to "half a dozen smaller countries"? It's not possible to take such claims seriously. They certainly don't co
Re: (Score:2)
Speaking of weighing evidence, can you be a little more specific than a vague reference to "half a dozen smaller countries"? It's not possible to take such claims seriously. They certainly don't constitute grounds to think less of Mozilla, but they do raise doubts about you if this is your best way of establishing credibility. (And no, you can't date my daughter either, in case you were wondering. You're definitely not in her league.)
From the summary of the article: "Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan". And no, I wouldn't want to date your daughter, if she's got a personality anything like yours though, I can well imagine your desperation to find her someone.
Re: (Score:2)
I don't see how people are being forced to use insecure communications. Websites can choose to get certificates from wherever they want. All this does is take out one of the certificate providers.
Re: (Score:2)
Which is likely to be the source of trusted certificates for locally-provisioned HTTPS. Sure, no one's hijacking connections to US sites, but a local-language and locally-sited Google or Facebook or Twitter could be fair game.
SSL is broken by design (Score:3, Interesting)
Why doesn't everyone use SRP [wikipedia.org] instead?
- User proves it has password without divulging any data.
- Man in the middle obtains zero information.
- Generates encryption key for rest of the connection.
Re: (Score:1)
Re: (Score:2)
In this particular instance, you actually want to say "password" of the person - it's actually right there in the protocol name - but yes. SRP is fantastic for situations where you want to authenticate over an unsecured connection. It is incapable of handling registration over such a connection though, unless there's somebody else's password you use first to establish a secure channel. This means it is not a viable replacement for SSL/TLS in common web usage.
SRP does also have a "key" of sorts, but it's pub
Why not TLD scope CAs (Score:1)
Presumably 99.9999% of US Government certs are in .mil and .gov, and 99.99999% of chinese-government-puppet certs are in CN, etc.
Seems to me that the exposure could be enormously narrowed by scoping all of the obscure CAs to the one or two TLDs where they are most commonly used.
it will be hard to not drop them now (Score:2)
So what is the procedure to protect yourself (Score:2)
If there are Authorities you do not need in the browser list, how do you choose which ones to untrust? What if you only use https with a few sites, should you just look at the information and whitelist only those?
And why do the browsers have different lists (Score:2)
Firefox works from a list thats different than Chrome. I assume that there is another list again for people writing software for https connections. Maybe thats why I see the ssl libraries updating on my machine? If this is broken, then why is there not software available to "tune it" or test it so that it can be made to work?
Can the web server see what Cert you used? Can they tell that a fake cert was used? Maybe it should draw a warning on your pages that the cert authority had no business issuin
Well shit (Score:2)
Haha. Ok, what about Verisign/etc? (Score:5, Insightful)
I mean, they've been issuing intermediate CA certs to various 'friendly' governments and agencies, to support MITM (for 'lawful interceptions' only, of course).
Will Mozilla remove them too, since they seem to be breaching that same policy?
Re: (Score:3)
4 words:
Too big to fail.
Apparently if verisign is delisted, the internet stops working as expected.
Which really means the internet is broken and needs to be fixed. Maybe delisting all the security signers and starting from scratch (web of trust, etc.) is a good thing...
Impact for me. (Score:2)
Since I'm supporting an application that uses TeliaSonera certificates on the web server.
And changing to another certificate is probably not on the map since it runs at TeliaSonera.
Re: (Score:2)
If they follow through with it, and if the other browser makers follow them, then you won't have to worry about it.
A CA's business is all based on trust. As soon as they're known to be untrustworthy then they're dead. Well, for any commerce or banking site at least. I expect the governments to still use them though. Even being suspect is enough to drive business away.
What we need is browsers pushing DNSSEC. Users are trained to look for the green padlock. If you display it as say yellow for a secure s
dangerous territory (Score:5, Insightful)
US, Canadian and European governments also spy on their citizens. So Mozilla now needs to determine whose spying is good and whose spying is bad. I'm not sure that's a business that Mozilla should be in.
Perhaps a better solution would be to make it easier and more user friendly for people to detect questionable certificates and choose which certificates you trust. But, of course, that would upset Western governments...