Slashdot Mirror
Mozilla Is Considering Revoking TeliaSonera Trust For Sales To Dictators
ndogg writes "Mozilla is considering pulling TeliaSonera from its list of root certificate SSL providers. They have asked for comments on this on their mailing list. They're concerned about the use of the certificates by those governments for spying on its citizens, particularly in Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan — where TeliaSonera operates subsidiaries or is heavily invested. Mozilla's concern is that TeliaSonera has possibly issued certificates that allow hardline government servers to masquerade as legitimate websites — so-called man-in-the-middle attacks — and decrypt web traffic. This alleged activity would contradict Mozilla's policy against 'knowingly issuing certificates without the knowledge of the entities whose information is referenced in the certificates.'"
Instead of trusting any of these companies (they'll sell to the US government as well, I'm sure), why not switch to Convergence? It reduces the need to trust companies like this.
Mozilla (and Google, and other browser makers) should include it by default in all their products (even if turned off) to make it easier for people to switch away from centralised systems. Viva le revolucion.
Mozilla still includes all kinds of questionable cert authorities. Once I learned that, I had to go through my default Firefox installs and remove all the ones by Chinese government arms and similar.
Why single out these countries? I will never need a cert signed by a foreign government - ANY foreign government. There are probably only about 5% of authorities I actually might trust included in Firefox. The rest are illegitimate for 99% of users.
Hell did any government official go to jail for the Gulf Of Tonkin false flag which cost 58,000 Americans their lives? How about for Fast & Furious which handed drug cartels weapons by the truckload and killed at least one border agent and countless civilians?
Frankly the US government is just as nasty and corrupt as the rest, read general Butler's "War is a racket" speech sometime. That speech is nearly a century old and could have been taken from the current papers, wars all over the place for the benefit of a few rich people and corps, if the US gov told me it was raining outside? I'd want a second opinion.
ACs don't waste your time replying, your posts are never seen by me.
The whole point of certificates and SSL is to protect communications between the browser and the web server. It's not "to protect communications from everyone except the government". It's to protect it from EVERYONE - including (and sometimes especially) the government.
It's good to see browser maintainers recognizing that the browser is an essential - albeit uncertified - part of HTTPS authentication.
The preinstalled root certs have enormous leverage. If the validation of certificate requests performed by CAs is a known weak link in X.509, how much more so the point where those CAs are designated as trusted?
Thanks to the efforts of Mozilla, among others, we have a much more diverse browser ecosystem than even a few years ago. To some extent at least, the free market can decide which browser to use. I know that I'm more inclined to use a product that is squarely on the side of human rights than one which can be used as an instrument of oppression. And these difficult questions of policy and enforcement provide a chance for Mozilla to distinguish itself, which I think it's doing very ably.
Parity: What to do when the weekend comes.
I'm not particularly impressed with Convergence in particular. What seems to make the most sense is to self-publish SSL certificates using DNSSEC.
Why doesn't everyone use SRP instead?
- User proves it has password without divulging any data.
- Man in the middle obtains zero information.
- Generates encryption key for rest of the connection.
Strange. Almost everyone who has issues with the corruption found in American politics is labeled as a "communist".
And, if my wealth, relative to that of the rest of the world, depends on a subservient Latin America - well, I don't need or want it.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
First, this is coming from a die hard libertarian.
You do realize that the idea of taxes is to pay for things that everyone uses, but would be infeasible to be run by private entities. This so called extortion you speak of is basically making you pay for that which you use. i.e. not stealing it. Any sane individual has no problem with paying taxes for public services, the disagreement comes into what should be a public service and what should not.
And you're statement on fraud confirms you do not know what fraud is. I may not know everything the government does with the money I give them, but I do know that it's not swindled from me, and I do know what a lot of it goes towards. Fraud would be being told you're paying for one thing, then either not getting it at all, or getting something very different, and worth much less.
And everything is pro-freedom except when it's not. I expect to be free to do what I want, except when it violates the freedoms of other people. I don't expect to have the freedom to get in my car drunk off my ass and drive down the road. That endangers the freedom of other people to exist.
Seriously, are you trolling or just stupid?
I use certificate patrol. It basically warns you if a cert has changed suspiciously, or if the CA has changed.
It's flawed in that it only remembers one cert per domain for comparison and nowadays for whatever reasons companies like facebook and Google often use different certs signed by different CAs for the same domains and spread the load/connections amongst them. So you can get more warning prompts than you'd want.
This doesn't mean the concept is broken though, just that Certificate Patrol's particular implementation has room for improvement.
The desired case is, if at home you decide that the different certs you get from gmail or facebook are OK (and told the plugin to ignore them), then go to some foreign country and suddenly you get certs that are signed by TeliaSonera, you'd get a warning message and you'd know that something was up and choose not to login.
Same goes for logging in to your bank/corporate site while on a business trip to China. If the cert changes unexpectedly - from being signed by say Equifax to being signed by CNNIC, you should get a warning too.
How about giving us a specific link to a faked cetificate from a specific "US" CA?
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
I mean, they've been issuing intermediate CA certs to various 'friendly' governments and agencies, to support MITM (for 'lawful interceptions' only, of course).
Will Mozilla remove them too, since they seem to be breaching that same policy?
US, Canadian and European governments also spy on their citizens. So Mozilla now needs to determine whose spying is good and whose spying is bad. I'm not sure that's a business that Mozilla should be in.
Perhaps a better solution would be to make it easier and more user friendly for people to detect questionable certificates and choose which certificates you trust. But, of course, that would upset Western governments...
Your original comment said "Frankly the US government is just as nasty and corrupt as the rest[...]", against which examples of other, worse regimes is a quite effective argument.