Slashdot Mirror
Mozilla Is Considering Revoking TeliaSonera Trust For Sales To Dictators
ndogg writes "Mozilla is considering pulling TeliaSonera from its list of root certificate SSL providers. They have asked for comments on this on their mailing list. They're concerned about the use of the certificates by those governments for spying on its citizens, particularly in Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan — where TeliaSonera operates subsidiaries or is heavily invested. Mozilla's concern is that TeliaSonera has possibly issued certificates that allow hardline government servers to masquerade as legitimate websites — so-called man-in-the-middle attacks — and decrypt web traffic. This alleged activity would contradict Mozilla's policy against 'knowingly issuing certificates without the knowledge of the entities whose information is referenced in the certificates.'"
Instead of trusting any of these companies (they'll sell to the US government as well, I'm sure), why not switch to Convergence? It reduces the need to trust companies like this.
Mozilla (and Google, and other browser makers) should include it by default in all their products (even if turned off) to make it easier for people to switch away from centralised systems. Viva le revolucion.
Mozilla still includes all kinds of questionable cert authorities. Once I learned that, I had to go through my default Firefox installs and remove all the ones by Chinese government arms and similar.
Why single out these countries? I will never need a cert signed by a foreign government - ANY foreign government. There are probably only about 5% of authorities I actually might trust included in Firefox. The rest are illegitimate for 99% of users.
Hell did any government official go to jail for the Gulf Of Tonkin false flag which cost 58,000 Americans their lives? How about for Fast & Furious which handed drug cartels weapons by the truckload and killed at least one border agent and countless civilians?
Frankly the US government is just as nasty and corrupt as the rest, read general Butler's "War is a racket" speech sometime. That speech is nearly a century old and could have been taken from the current papers, wars all over the place for the benefit of a few rich people and corps, if the US gov told me it was raining outside? I'd want a second opinion.
ACs don't waste your time replying, your posts are never seen by me.
The whole point of certificates and SSL is to protect communications between the browser and the web server. It's not "to protect communications from everyone except the government". It's to protect it from EVERYONE - including (and sometimes especially) the government.
It's good to see browser maintainers recognizing that the browser is an essential - albeit uncertified - part of HTTPS authentication.
The preinstalled root certs have enormous leverage. If the validation of certificate requests performed by CAs is a known weak link in X.509, how much more so the point where those CAs are designated as trusted?
Thanks to the efforts of Mozilla, among others, we have a much more diverse browser ecosystem than even a few years ago. To some extent at least, the free market can decide which browser to use. I know that I'm more inclined to use a product that is squarely on the side of human rights than one which can be used as an instrument of oppression. And these difficult questions of policy and enforcement provide a chance for Mozilla to distinguish itself, which I think it's doing very ably.
Parity: What to do when the weekend comes.
I'm not particularly impressed with Convergence in particular. What seems to make the most sense is to self-publish SSL certificates using DNSSEC.
Why doesn't everyone use SRP instead?
- User proves it has password without divulging any data.
- Man in the middle obtains zero information.
- Generates encryption key for rest of the connection.
Interesting discussion on the Mozilla forum. In light of the information so far, it seems like it would be difficult for Mozilla to keep TeliaSonera as trusted and not lose face. It will be interesting to see what kind of implications this has going forward in regards to dealing with other CAs that have practices or relationships that might fall into the similar shady areas as TeliaSonera. There are some forum posts mentioning that maybe Cybertrust (acquired by Verizon - known for participating in surveillance activity) and Entrust (related to BlueCoat via Thoma Bravo) as possibly requiring similar scrutiny.
"As nasty and corrupt as..." ... China under Mao? Venezuela under Chavez? Cuba under Castro? The USSR under Lenin and Stalin? Cambodia under Pol Pot? The NPRK under the various Kims? Zimbabwe under Mugabe? Zaire/the Congo under Mobutu?
Care to revise your bullshit story?
For all of America's, the American government's, and its leaders' flaws - and of course they are many (and one wonders how your life would stand up upon the withering criticism and examination that the life of a President, for example, gets) - I believe very few of our leaders have ever had a genuine desire to harm people nor have they harbored a profound megalomania. Ego - of course; megalomania - no. Sure, go ahead and despise a President because of their ideological orientation that you disagree with but the notion of the Chomskyites, this strange Kool-Aid they like to guzzle, being fed doses of pablum about "American Imperialism" and the "Military-Industrial Complex" and railing endlessly about the "Evils of Capitalism" yet enjoying its countless benefits (you know, like jobs, homes, clothes, electronics, computers, global air travel, and this weird little thing called the Internet), never proffering a meaningful let alone viable alternative, I am convinced is one of the luxuries provided by the American model of capitalism and Constitutional governance. Trust me if you were to write what you wrote about Mugabe your flesh-burned and -torn body (they wouldn't spend a bullet on you, lest they lose out on a good opportunity to torture you first) would soon be found on the roadside somewhere.
And, if you despise America, think it hopelessly corrupt and nasty "as the rest" then why not leave it for greener pastures? Maybe some other country has it figured out better than we do? According to Michael Moore, Cuba has the best medical care in the world. Just ask Hugo Chavez.
It's hardly a country that loves freedom if it regulates people's personal lives like this.
It's a federal country. You have the freedom to leave a state that doesn't respect your freedom for one that does.
How can the US be pro freedom if it actively harms people by confiscating property off them using a threat of force?
Without taxation, there is no way to fund a court or police force. Without those, there is no way to enforce the laws against a private citizen using force or fraud to coerce another private citizen. Or what am I missing?
"There is no good or bad."
You were making sense, until you wrote that bit of drivel. Yes, child, there really IS good, and there really IS bad. I can agree with you that the US government often doesn't know the difference. I can agree that the US government is in no position to be the final arbiter of good and bad. But, there really are evil sumbitches in the world. A significant number of them occupy positions of power.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Strange. Almost everyone who has issues with the corruption found in American politics is labeled as a "communist".
And, if my wealth, relative to that of the rest of the world, depends on a subservient Latin America - well, I don't need or want it.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
First, this is coming from a die hard libertarian.
You do realize that the idea of taxes is to pay for things that everyone uses, but would be infeasible to be run by private entities. This so called extortion you speak of is basically making you pay for that which you use. i.e. not stealing it. Any sane individual has no problem with paying taxes for public services, the disagreement comes into what should be a public service and what should not.
And you're statement on fraud confirms you do not know what fraud is. I may not know everything the government does with the money I give them, but I do know that it's not swindled from me, and I do know what a lot of it goes towards. Fraud would be being told you're paying for one thing, then either not getting it at all, or getting something very different, and worth much less.
And everything is pro-freedom except when it's not. I expect to be free to do what I want, except when it violates the freedoms of other people. I don't expect to have the freedom to get in my car drunk off my ass and drive down the road. That endangers the freedom of other people to exist.
Seriously, are you trolling or just stupid?
I use certificate patrol. It basically warns you if a cert has changed suspiciously, or if the CA has changed.
It's flawed in that it only remembers one cert per domain for comparison and nowadays for whatever reasons companies like facebook and Google often use different certs signed by different CAs for the same domains and spread the load/connections amongst them. So you can get more warning prompts than you'd want.
This doesn't mean the concept is broken though, just that Certificate Patrol's particular implementation has room for improvement.
The desired case is, if at home you decide that the different certs you get from gmail or facebook are OK (and told the plugin to ignore them), then go to some foreign country and suddenly you get certs that are signed by TeliaSonera, you'd get a warning message and you'd know that something was up and choose not to login.
Same goes for logging in to your bank/corporate site while on a business trip to China. If the cert changes unexpectedly - from being signed by say Equifax to being signed by CNNIC, you should get a warning too.
How about giving us a specific link to a faked cetificate from a specific "US" CA?
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
According to Michael Moore, Cuba has the best medical care in the world. Just ask Hugo Chavez.
No. The US has the best medical care in the world. Just ask Michael Jackson.
“He’s not deformed, he’s just drunk!”
I mean, they've been issuing intermediate CA certs to various 'friendly' governments and agencies, to support MITM (for 'lawful interceptions' only, of course).
Will Mozilla remove them too, since they seem to be breaching that same policy?
US, Canadian and European governments also spy on their citizens. So Mozilla now needs to determine whose spying is good and whose spying is bad. I'm not sure that's a business that Mozilla should be in.
Perhaps a better solution would be to make it easier and more user friendly for people to detect questionable certificates and choose which certificates you trust. But, of course, that would upset Western governments...
I would argue that anyone logging in to their corporate site from China without using a VPN with a self-signed certificate is doing it wrong. Hell, I'm going on holiday to Australia later in the year and I'm setting up a VPN to my home network so I can use email etc without worrying about my credentials being lifted by any local agency. I know it's a little much for most home users, but for anyone with even an inkling of tech knowhow or a corporate user it should be mandatory.
Finally had enough. Come see us over at https://soylentnews.org/
Your original comment said "Frankly the US government is just as nasty and corrupt as the rest[...]", against which examples of other, worse regimes is a quite effective argument.
I am not saying anything about what is OK, and I think much of what the US government is doing and have done is very far from OK.
But that was not what we were discussing. You said that the US government was "as nasty and corrupt as the rest", the AC pointed out some examples that he felt was worse while acknowledging that the US did have its own problem, and you interpreted that as giving the US a free pass. I pointed out that that was not what the AC said, and you have now accused ME of saying everything the US does is OK. Lets see if you can get a hattrick, and misinterpret this post as well!