Mozilla Might Distrust Dutch Government Certs Over 'False Keys' (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Mozilla Might Distrust Dutch Government Certs Over 'False Keys' (bleepingcomputer.com)

Posted by EditorDavid on Sunday November 5, 2017 @07:15AM from the forgoing-Dutch dept.

Long-time Slashdot reader Artem Tashkinov quotes BleepingComputer: Mozilla engineers are discussing plans to remove support for a state-operated Dutch TLS/HTTPS provider after the Dutch government has voted a new law that grants local authorities the power to intercept Internet communications using "false keys". If the plan is approved, Firefox will not trust certificates issued by the Staat der Nederlanden (State of the Netherlands) Certificate Authority (CA)...

This new law gives Dutch authorities the powers to intercept and analyze Internet traffic. While other countries have similar laws, what makes this one special is that authorities will have authorization to carry out covert technical attacks to access encrypted traffic. Such covert technical capabilities include the use of "false keys," as mentioned in Article 45 1.b, a broad term that includes TLS certificates.
"Fears arise of mass Dutch Internet surveillance," reads a subhead on the article, citing a bug report which notes, among other things, the potential for man-in-the-middle attacks and the fact that the Netherlands hosts a major internet transit point.

5 of 112 comments (clear)

Min score:

Reason:

Sort:

Does it make sense to trust any govt key? by mellon · 2017-11-05 07:20 · Score: 4, Insightful

This is a tough question, because arguably corporate-held keys aren't trustworthy either, but if we are to trust government keys, we need to know what the terms of governance are, and in general we don't. In the U.S., for example, government eavesdropping rules are secret. So trusting a PKI cert issued by the U.S. government is crazy. Of course, governments can also often compel private industry, and as we've seen, private industry can also engage in corrupt practices or careless practices. Honestly, PKI is pretty rickety.
1. Re:Does it make sense to trust any govt key? by syzler · 2017-11-05 14:46 · Score: 3, Insightful
  
  However if crypto toolkits would finally implement and actually validate certificates using "DNS-Based Authentication of Named Entities" (DANE), then all of this is moot since the DNS operator for a site would be able to specify which specific TLS key is being used by the site with a few DNS records. A government entity wouldn't be able to man in the middle a TLS connection without either cracking the TLS keys themselves or by compromising the the root DNS server keys.
Governments, take note by Opportunist · 2017-11-05 07:26 · Score: 5, Insightful

This is what happens when you try to pull a stunt like this.
Certificates are based on a system of trust. I trust a certificate because the issuer promises that it belongs to the party it was issued to. If that party now not only has the ability but also the obvious intent to intercept and snoop on traffic, the certificate is intrinsically untrustworthy. Because it can easily be used for such nefarious applications.
The Netherlands just made all their certificates along with every certificate issuing company under their jurisdiction untrustworthy.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Governments, take note by cstacy · 2017-11-05 11:46 · Score: 3, Insightful
  
  This is what happens when you try to pull a stunt like this.
  Certificates are based on a system of trust. I trust a certificate because the issuer promises that it belongs to the party it was issued to. If that party now not only has the ability but also the obvious intent to intercept and snoop on traffic, the certificate is intrinsically untrustworthy. Because it can easily be used for such nefarious applications.
  The Netherlands just made all their certificates along with every certificate issuing company under their jurisdiction untrustworthy.
  What makes anyone think that certain various intelligence agencies (such as those in the USA and Europe in general) do not already have the means to sign "false certificates"? Through government intimidation, secret procedures, etc. In what way are the corporate-based CAs not secretly influenced by the government(s)?
2. Re:Governments, take note by Opportunist · 2017-11-05 12:01 · Score: 4, Insightful
  
  Too high a risk to take.
  Blanket use of forged certificates would make it near impossible that such behaviour isn't eventually noticed, which would instantly lead to the whole certificate chain system coming down.
  If anything, such a tool would be used very carefully for high profile targets.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.