Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Is Considering Revoking TeliaSonera Trust For Sales To Dictators

Posted by Soulskill on from the trust-must-be-deserved dept.

ndogg writes "Mozilla is considering pulling TeliaSonera from its list of root certificate SSL providers. They have asked for comments on this on their mailing list. They're concerned about the use of the certificates by those governments for spying on its citizens, particularly in Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan — where TeliaSonera operates subsidiaries or is heavily invested. Mozilla's concern is that TeliaSonera has possibly issued certificates that allow hardline government servers to masquerade as legitimate websites — so-called man-in-the-middle attacks — and decrypt web traffic. This alleged activity would contradict Mozilla's policy against 'knowingly issuing certificates without the knowledge of the entities whose information is referenced in the certificates.'"

5 of 123 comments (clear)

  1. Good to see by starfishsystems · · Score: 4, Interesting

    It's good to see browser maintainers recognizing that the browser is an essential - albeit uncertified - part of HTTPS authentication.

    The preinstalled root certs have enormous leverage. If the validation of certificate requests performed by CAs is a known weak link in X.509, how much more so the point where those CAs are designated as trusted?

    Thanks to the efforts of Mozilla, among others, we have a much more diverse browser ecosystem than even a few years ago. To some extent at least, the free market can decide which browser to use. I know that I'm more inclined to use a product that is squarely on the side of human rights than one which can be used as an instrument of oppression. And these difficult questions of policy and enforcement provide a chance for Mozilla to distinguish itself, which I think it's doing very ably.

    --
    Parity: What to do when the weekend comes.
  2. DNSSEC for certificate distribution by crow · · Score: 3, Interesting

    I'm not particularly impressed with Convergence in particular. What seems to make the most sense is to self-publish SSL certificates using DNSSEC.

    1. Re:DNSSEC for certificate distribution by Anonymous Coward · · Score: 2, Interesting

      Proper DNSSEC uses a single trust anchor for the root "." that can validate the delegated registries (com., net., uk., fr.). DLV registries were a hack until the root zone got signed, which has now happened.

      For DNSSEC to work you need to validate the responses of signed zones and you need to trust their corresponding registries (for .com Verisign). The person signs their zone (example.com) and pushes their public key up to Verisign in the form of DS record. The registry can remove the public key, causing the zone to be DNSSEC unsecure (the usual case with most domains) OR they can modify the public key causing SERVFAIL for DNSSEC aware resolvers OR they can modify the public key and the authoritative nameservers for your domain and do whatever they want... since they are the registrar. Bottom line: if you don't trust the registrar for your domain, you are already screwed.

      If you don't already have control of your own authoritative DNS servers then your host could be forced to change the records anyway. It's all a horrible mess.

  3. SSL is broken by design by ivrogne · · Score: 3, Interesting

    Why doesn't everyone use SRP instead?
    - User proves it has password without divulging any data.
    - Man in the middle obtains zero information.
    - Generates encryption key for rest of the connection.

  4. Re:Mozilla Corporation - Fighting for Freedom agai by TheLink · · Score: 3, Interesting

    I use certificate patrol. It basically warns you if a cert has changed suspiciously, or if the CA has changed.

    It's flawed in that it only remembers one cert per domain for comparison and nowadays for whatever reasons companies like facebook and Google often use different certs signed by different CAs for the same domains and spread the load/connections amongst them. So you can get more warning prompts than you'd want.

    This doesn't mean the concept is broken though, just that Certificate Patrol's particular implementation has room for improvement.

    The desired case is, if at home you decide that the different certs you get from gmail or facebook are OK (and told the plugin to ignore them), then go to some foreign country and suddenly you get certs that are signed by TeliaSonera, you'd get a warning message and you'd know that something was up and choose not to login.

    Same goes for logging in to your bank/corporate site while on a business trip to China. If the cert changes unexpectedly - from being signed by say Equifax to being signed by CNNIC, you should get a warning too.

    --