Mozilla Might Distrust Dutch Government Certs Over 'False Keys' (bleepingcomputer.com) 8
Long-time Slashdot reader Artem Tashkinov quotes BleepingComputer: Mozilla engineers are discussing plans to remove support for a state-operated Dutch TLS/HTTPS provider after the Dutch government has voted a new law that grants local authorities the power to intercept Internet communications using "false keys". If the plan is approved, Firefox will not trust certificates issued by the Staat der Nederlanden (State of the Netherlands) Certificate Authority (CA)...
This new law gives Dutch authorities the powers to intercept and analyze Internet traffic. While other countries have similar laws, what makes this one special is that authorities will have authorization to carry out covert technical attacks to access encrypted traffic. Such covert technical capabilities include the use of "false keys," as mentioned in Article 45 1.b, a broad term that includes TLS certificates.
"Fears arise of mass Dutch Internet surveillance," reads a subhead on the article, citing a bug report which notes, among other things, the potential for man-in-the-middle attacks and the fact that the Netherlands hosts a major internet transit point.
This new law gives Dutch authorities the powers to intercept and analyze Internet traffic. While other countries have similar laws, what makes this one special is that authorities will have authorization to carry out covert technical attacks to access encrypted traffic. Such covert technical capabilities include the use of "false keys," as mentioned in Article 45 1.b, a broad term that includes TLS certificates.
"Fears arise of mass Dutch Internet surveillance," reads a subhead on the article, citing a bug report which notes, among other things, the potential for man-in-the-middle attacks and the fact that the Netherlands hosts a major internet transit point.
Does it make sense to trust any govt key? (Score:3)
This is a tough question, because arguably corporate-held keys aren't trustworthy either, but if we are to trust government keys, we need to know what the terms of governance are, and in general we don't. In the U.S., for example, government eavesdropping rules are secret. So trusting a PKI cert issued by the U.S. government is crazy. Of course, governments can also often compel private industry, and as we've seen, private industry can also engage in corrupt practices or careless practices. Honestly, PKI is pretty rickety.
Re: (Score:3)
The problem is the whole system is set up so you either trust a key signer for any key they sign or you don't trust them at all. There isn't currently a mechanism where you can conditionally trust a key signed by a government.
Governments, take note (Score:5, Insightful)
This is what happens when you try to pull a stunt like this.
Certificates are based on a system of trust. I trust a certificate because the issuer promises that it belongs to the party it was issued to. If that party now not only has the ability but also the obvious intent to intercept and snoop on traffic, the certificate is intrinsically untrustworthy. Because it can easily be used for such nefarious applications.
The Netherlands just made all their certificates along with every certificate issuing company under their jurisdiction untrustworthy.
Who do you trust? (Score:2)
We have been existing for a long time without https, but now we want a certificate for everything, even places where is trust isnâ(TM)t needed. One of the issues I see is that there is a difference between trust and encryption, but the average user may not make the distinction.
Also, to the average user it isnâ(TM)t clear who the third party they are trusting is and whether they are any more trustworthy. This leads to the risk of blind trust and the consequences that go with it. A bit like afreeing