Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Might Distrust Dutch Government Certs Over 'False Keys' (bleepingcomputer.com)

Posted by EditorDavid on from the forgoing-Dutch dept.

Long-time Slashdot reader Artem Tashkinov quotes BleepingComputer: Mozilla engineers are discussing plans to remove support for a state-operated Dutch TLS/HTTPS provider after the Dutch government has voted a new law that grants local authorities the power to intercept Internet communications using "false keys". If the plan is approved, Firefox will not trust certificates issued by the Staat der Nederlanden (State of the Netherlands) Certificate Authority (CA)...

This new law gives Dutch authorities the powers to intercept and analyze Internet traffic. While other countries have similar laws, what makes this one special is that authorities will have authorization to carry out covert technical attacks to access encrypted traffic. Such covert technical capabilities include the use of "false keys," as mentioned in Article 45 1.b, a broad term that includes TLS certificates.
"Fears arise of mass Dutch Internet surveillance," reads a subhead on the article, citing a bug report which notes, among other things, the potential for man-in-the-middle attacks and the fact that the Netherlands hosts a major internet transit point.

5 of 112 comments (clear)

  1. Does it make sense to trust any govt key? by mellon · · Score: 4, Insightful

    This is a tough question, because arguably corporate-held keys aren't trustworthy either, but if we are to trust government keys, we need to know what the terms of governance are, and in general we don't. In the U.S., for example, government eavesdropping rules are secret. So trusting a PKI cert issued by the U.S. government is crazy. Of course, governments can also often compel private industry, and as we've seen, private industry can also engage in corrupt practices or careless practices. Honestly, PKI is pretty rickety.

    1. Re:Does it make sense to trust any govt key? by Anonymous Coward · · Score: 4, Informative

      True, the current system is and always had been broken by design. It only takes one foul apple to spoil the whole dish.

  2. Governments, take note by Opportunist · · Score: 5, Insightful

    This is what happens when you try to pull a stunt like this.

    Certificates are based on a system of trust. I trust a certificate because the issuer promises that it belongs to the party it was issued to. If that party now not only has the ability but also the obvious intent to intercept and snoop on traffic, the certificate is intrinsically untrustworthy. Because it can easily be used for such nefarious applications.

    The Netherlands just made all their certificates along with every certificate issuing company under their jurisdiction untrustworthy.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Governments, take note by Opportunist · · Score: 4, Interesting

      Then we're down to doing what organizations with elevated security needs already do. Issue their own certificates, transport them to their partner via a secure channel and pin the certificate, i.e. to be valid, the site has to present this certificate, exactly this certificate and only this certificate.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Governments, take note by Opportunist · · Score: 4, Insightful

      Too high a risk to take.

      Blanket use of forged certificates would make it near impossible that such behaviour isn't eventually noticed, which would instantly lead to the whole certificate chain system coming down.

      If anything, such a tool would be used very carefully for high profile targets.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.