Feeds

back to article Firefox 'death sentence' threat to TeliaSonera over gov spy claims

Firefox-maker Mozilla could issue a "death sentence" to TeliaSonera's SSL business over allegations the telecoms giant sold Orwellian surveillance tech to dictators. The punishment would be an embarrassing blow to the company: it would effectively cut off HTTPS-encrypted websites verified by TeliaSonera from Firefox users, who …

COMMENTS

This topic is closed for new posts.

Page:

The UK government?

When is Mozilla going to revoke root certs for any provider that supplies the UK government? The snoop-on-everyone law has passed the rubber stamp called parliament. This pernicious law will not be targeted, it will capture ALL traffic for ALL users.

23
4
Anonymous Coward

Re: The UK government?

"... it will capture ALL traffic for ALL users..."

If you're going to object to something, at least try to understand what it is you're objecting to. A very small amount of critical thinking would suggest that there isn't enough storage in the world to store all traffic for all users.

Personally I'm generally speaking against this law, but people who don't understand it and bang on about everyone's data being kept by the government for ever really don't help mount a credible case against the law.

7
7
Anonymous Coward

Re: The UK government?

3 open responses: to 'people who don't understand it'

A) a quick data-mining signature-based first sift of the UK's telecoms morning traffic would give the MinTruth enough data to start hounding the targets of the day. (according to French press Amesys actually programmed the human targets in to the DPI systems that were installed in Ghadaffi's Libya - the argument that DPI monitoring is a dual-use weapon don't hold when it has seemingly already been sold as a loaded weapon!)

B) Ohio is seeing the construction of a large enough hard disk to store everything in the world for all users. Many nations export all their internet data to 'partners' - including Sweden, why?

C) the various human rights treaties that were pushed post-WWII by Sir Winston Leonard Spencer-Churchill, KG, OM, CH, TD, DL, FRS, Hon. RA (30 November 1874 – 24 January 1965) have the keyword 'proportional' that seems to be missing from most of the UK's current and planned future activities...he certainly understood "it"

9
1
Anonymous Coward

Re: The UK government?

correction of response B)

The Ohio news reports today that the new NSA Bluffdale Utah data-centre will not be used for spying on (US) email. ...so that's OK then.....I guess they'll just be using their PCIe gen3 GPU Appliance crates to mint Bitcoins?

http://www.dispatch.com/content/stories/national_world/2013/04/16/nsa-utah-facility-not-for-spying-on-email.html

meanwhile I forgot to mention SSL, and FF; personally - and I speak for myself here - I tend to use Chrome more as FF doesn't handle SSL certificates in the most trustworthy way - Mozilla might have suffered 'Market Capture' and a very tight/protected/extensionified Chrome is safer to use?

http://blog.malwarebytes.org/intelligence/2013/02/digital-certificates-and-malware-a-dangerous-mix/ describes the use of a poisoned pdf file to download from a cloud a ten megabyte banking-attack trojan, all software was digitally signed using a valid digital certificate. The fake Brazilian company that recently bought the signing certificate from DigiCert previously used another fake company in November 2012 for similar attacks. Presumably they will attack again now that their second certificate has been revoked. Online crime is lucrative and low-risk for the attackers.

Trust and Security of the entire internet is based on Netscape's invention of SSL. Proving that our current X.509 Browser/Certificate Authority SSL trust-relationship is broken is data gathered by the SSL Observatory and others, particularly http://www.ccssforum.org/malware-certificates.php where 124 fake no, Real CA signing certificates have been used by malware authors.

As any certificate can be used to sign any domain, (e.g. TurkTrust signing *.google.com recently) the PKI infrastructure is just as secure as its weakest link, and the weakest links are not secure (in absolute context they are mostly but not completely secure) The 124 real certificates were purchased over 2.5 years.

So that's a background level of around 60 certificates a year purchased fraudulently - out of millions used mostly correctly. To this can be added the numbers of stolen SSL certificates (hundreds to unknown, maybe thousands) and the 'Nation State' 'misuse' of SSL proxy certificates to which only South Korea has officially admitted but is widespread (millions), and increasing with the greater use of national DPI/Proxy systems. So the odds to be hit hard by targeted malware that bypasses current OS & Browser & AV detection are slightly better than winning a lottery - but with worse results!

Crypto academics currently claim privately that the Certificate Authorities and Browser manufacturers live in a state of capture, neither wishing to change a lucrative revenue model, the faults are known, but are ignored by most Browser organisations. Trust in the current Certificate Authorities and Browser implementation is misplaced. Their industry body "CABForum" seems to have been designed to resist change, and simply enforce their 1990 model of security.We are 20 years beyond Netscape in terms of threats and challenges!

CA/Browser Forum "a voluntary online security standards organisation" (public is not allowed to participate) Members are here <https://www.cabforum.org/forum.html> Apple, Google, Microsoft, Opera, Mozilla + certificate authorities

Slow change maybe coming to the CABForum? http://www.darkreading.com/security/news/240005230/ca-browser-forum-s-mandated-royalty-free-intellectual-property-policy-change-spurs-entrust-to-withdraw-from-organization.html This article explains why Entrust has recently withdrawn from CABForum, apparently over IPR issues but mostly quote "many smaller, unproven CAs are empowered with issuing digital certificates that could very well jeopardize the trust and security of the entire Internet. Entrust can't support this position."

When the No.2 Certificate Authority is saying that things might be bad - I'd tend to agree with them!

5
0
Silver badge

Re: The UK government?

"I tend to use Chrome more as FF doesn't handle SSL certificates in the most trustworthy way - Mozilla might have suffered 'Market Capture' and a very tight/protected/extensionified Chrome is safer to use?"

What do you mean by that loaded statement? Like most of your post provided without any explanation or evidence. Since you seem to be worried about your security why do you think a browser that is monitoring you for an ad agency is more secure?

4
0
Anonymous Coward

Re: The UK government?

you're right its only a point of view that Mozilla\Apple\MS browsers might have suffered regulatory\Market capture through the CA/Browser forum. Google is provenly the only browser that detected and published Iranian SSL Gmail certificate hijacks, that's because Google , for all their advertising evil, is currently 'on-side' for freedom enabling communications in a few areas. This phrase "Certificate pinning: Pinning was introduced in Google Chrome 13 in order to limit the CA's that can issue certificates for Google properties" taken from http://nelenkov.blogspot.it/2012/12/certificate-pinning-in-android-42.html explains why Google is doing this, it doesn't explain why the rest of the CA/Browser Forum try and party like it's 1999!

(Google Chrome's adverts can still be managed with aggressive Ghostery et al Plugins - for the time being, Google has of course started to block some plugins on mobile......)

0
0
Bronze badge
Big Brother

Re: The UK government? @AC 12:19

Minitrue. The Newspeak word is Minitrue.

<<<<<Obviously.

0
0
Anonymous Coward

Re: The UK government? @AC 12:19

Also shrieking about 1984 doesn't help make a credible, level headed case...

0
4
Anonymous Coward

Re: The UK government?

"B) Ohio is seeing the construction of a large enough hard disk to store everything in the world"

Am I the only one envisioning an enormous construction site, complete with bulldozers, cranes, dump trucks, and so on, all of which are working on/around a Winchester disk drive the size of a Walmart?

1
0
Anonymous Coward

Re: The UK government?

> A very small amount of critical thinking would suggest that there isn't enough storage in the world to store all traffic for all users.

But... but... they're buying Office365.

0
0
Big Brother

does not provide lawful interception...

"As for all operators, TeliaSonera does not provide lawful interception surveillance services beyond those required by lawful legislation."

Leaves open the door that they could be providing illegal services. Maybe just an English translation issue and not lawyer-speak.

This is going on all over the world. There is no "Free World" anymore.

2
0
Anonymous Coward

Tough stance?

Will we see the same stance taken against Google, MS et al? All of whom have traded with dictators and states the abuse human rights (e.g. China). And blocking TLDs of states that trade with dictators and abusers of human rights? (e.g. .uk)?

No? Didn't think so.

Obvious PR stunt is obvious.

7
6
Silver badge

Re: Tough stance?

An obvious PR stunt perhaps, but that doesn't mean that it isn't useful to more than just mozilla.

If criminals want to use SSL they can generate their own, non-snoopable certs. "Lawful interception" with or without TeliaSonera won't get you the cleartext for that. Indeed, most corporates do that internally because they can't be bothered to pay for certs.

The interception comes in where people are accessing "public" infrastructure, such as gmail, banks etc and the government wants to do man-in-the-middle spoofing. The hardened criminal will so sensible things like deleting all root certs and making an exception for that service from a "safe" net connection. However, as a general "let's snoop on the populace" tactic, skeleton root keys come into their own.

The problem is that TS is setting itself up selling security systems to keep things secret. If it then goes around selling imitation vaults, it can hardly expect vault users not to kick up a fuss.

2
0
Anonymous Coward

Re: Tough stance?

Not a PR stunt.

Actually if you read the discussion, there is some surprise that this is being reported.

Mozilla simply conducts all its discussions in the open (being a open company with many volunteers) after all.

0
0
Anonymous Coward

Others have done it

The root program needs to be tightened up if this criteria is going to be considered. for a root CA key to be admitted to the browser stores they normally need to be audited to the Webtrust standard or similar. That is mostly technical and operational and doesn't go into the politics of an outfit.

Others have been guilty of issuing mitm certs recently and weren't removed, maybe its time to clear out the root CAs a little and add to the certification process.

4
0
Bronze badge
Headmaster

Re: Others have done it

This criterium, my dear chap, these criteria...

2
2

Re: Others have done it

Criterium = cycle race

Criterion = singlular noun of which plural = criteria

9
0
Thumb Up

Uzbekistan

well, its dictator and his daughter, are among TeliaSonera's customers. Also, TeliaSonera culture still suffers from being a spinoff from a once government controlled monopoly. They are on my evil list.

4
0
Bronze badge

One way to check and see if your SSL traffic is being exposed to a man in the middle attack:

https://www.grc.com/fingerprints.htm

6
0
Silver badge

But how do you know you are going to the real www.grc.com if your ISP has sold root CAs to everybody+dog?

2
0
Silver badge
Thumb Up

Kick their certificate out...

and I will switch to Firefox. Whatever that is worth.

3
0
Anonymous Coward

Mmmmmm

Ok I can see the rights of this, but then you are also punishing innocent people (re: customers) for your own political views.

Where does it end?

Block all Saudi sites? Chinese? Indonesian (look up West Papua New Guinea abuses for that one)?

It's a dangerous game when politics enter when a company that heralds itself as a bastion of a free and open web starts playing politics.

5
3
Anonymous Coward

Re: Mmmmmm

Indeed. The US executes people as a punishment, most of the rest of the world doesn't, should they lose their certificates? The US has also been ........ well I'm sure you all know the long list of bad things they've been caught doing.

I'm fairly sure they've got access to decrypt SSL traffic too, using much the same mechanisms.

While I'm sure there are governments out there (North Korea, for example) who I think should be blocked like this we also need to make sure we don't start throwing stones in our glass houses.

5
1
Anonymous Coward

Re: Mmmmmm

You seem to be missing the whole point - this is not directed at any specific country or their companies, nor is it about companies that might also produce dubious spy products.

It is the concern that the SSL they want Mozilla to include will be used for spoofing sites, so it is a direct abuse of the certificate for evil, and not that evil acts are perpetrated by some other branch of the company.

8
0
Facepalm

Re: Mmmmmm

"I'm sure you all know the long list of bad things they've been caught doing."

Indeed, it's hardly possible to read the El Reg comments without being reminded of them, regardless of the context.

0
0
Anonymous Coward

Re: Mmmmmm

Of course its a balance.

Mozilla should do as much as it can without severely crippling themselves.

There are countries in which this will work and countries it wont. Maximum security for users that is possible in any given context.

If mozilla ever has the power to put pressure on Chinese/Saudi/others, thats fantastic. But its not there yet. And probably never will be.

However they can make a difference here.

0
0
Silver badge
Go

Re: Mmmmmm

You can look at it that way, and wouldn't be entirely wrong. But you also have to look at the technical side. A Certificate Authority is only as good as their word. Giving their word is their only job in fact. They say "Yep this website is the real deal" or "This other guy can also be trusted to tell you whats legit". Now I haven't read any details about exactly what sort of surveillance tech they're accused of selling, but my suspicion is that it involved interception devices certified as a legitimate source for everything (i.e. *.com, *.org, *.uk, etc). If true, that would completely destroy they credibility as a Certificate Authority in my book.

And distrusting them in the future is really the only remedy for something like that. It's not the same as blocking certain domains because their governments are bad. In fact you'd still be able to go to sites they certify, you'd just have to click through some (admittedly very aggressive) warnings that Firefox doesn't consider the certificate trustworthy.

1
0

Re: Mmmmmm

Something that can be done now in Firefox is revoking CAs you don't trust yourself - they did this some time after a Firefox variant patched so it would not rely on certain Chinese CAs.

0
0
Silver badge

This seems like the opposite of open source...

So Mozilla is going to cut off its users from some secure content because they don't like what some third party is doing?

How does this make them different from the dictators they're trying to strike against... It's still "do what I say or else".

By all means support and encourage methods to subvert totalitarian control, but the instant you block content is the instant you become just like them.

And the instant you accept coladeral damage to non involved people is the instant you need to be stopped.

5
8
Silver badge
Thumb Down

Re: This seems like the opposite of open source...

How does this make them different from the dictators they're trying to strike against... It's still "do what I say or else".

You have a choice of what browser you use. You don't have a choice on what dodgy cert is presented to you.

7
1
Bronze badge

Re: This seems like the opposite of open source...

The source code is out in the open for anyone who wishes to recompile it with improved facilities for government interception of their communications.

2
0
Silver badge

Re: This seems like the opposite of open source...

No Mozilla is saying that this telco has signed root CAs for dodgy countries that allow them to fake being any site they want - Mozilla is going to stop trusting all CA signed by this ISP.

5
0
Bronze badge

Re: This seems like the opposite of open source...

It doesn't even stop Firefox from visiting those sites. You just get a warning and a recommendation not to proceed.

0
0
Anonymous Coward

Re: This seems like the opposite of open source...

Actually, all that is being discussed is a warning. If you want to manually add a certificate, you can.

Mozilla is about the users. In fact they are SO open source, they are having this discussion in the open. And thus it got reported on. Otherwise you would never have heard of this at all.

1
0
Bronze badge
Trollface

Eurovision?

Someone tampering with the Eurovision contest voting system is a disturbing thought....

3
0
Anonymous Coward

Certs, the future of security...?

Considering the recent Reg articles on :-

A. How Certs have been hacked and captured for Malware i.e. Bit9 hacked...

B. The expired SSL certificate that caused Microsoft Azure outages...

...Maybe we need to re-think the safety of the SSL CA security model...?

1
0
Silver badge

Re: Certs, the future of security...?

The SSL CA model never worked - it was based on the idea that companies which made money from selling the most SSL CA would be in charge of policing that only legitimate customers bought them

It's as crazy as subcontracting out the maintenance of a railway to a company that made a bigger profit by doing less maintenance - nobody would be that stupid.

6
0

Can of worms

I suspect you're going to find dodgy dealings in the backgrounds of most root CAs. Taking a stand with this one looks a bit dogmatic.

1
1
Bronze badge

Personally I don't see why they don't just make it easier for the end user to select which CAs they want to trust. If they did this then the only thing that those working on firefox would need to care of would be the maintenance of a blacklist that people can either choose to use or ignore.

2
0
Anonymous Coward

Time to switch to Chrome if that happens.

0
2
Anonymous Coward

People can select and even add self-made CAs in their browser. But most people do not understand SSL as we can clearly see from some of the comments here.

If a CA does something that breaks SSL i.e. issuing skeleton keys to governments which allow them to fake any website seamlessly does deserve to be removed from all browsers not just firefox. Because it does exactly the opposite of what it is suppose to be doing, trust is lost and the CA no longer as an 'A' just a 'C'.

It's just common sense not sure what some of you people are on about.

1
0
Anonymous Coward

What a threat! Keep whining, its cute.

You do realize that this is a NEW certificate and NO website uses yet. And if mozilla refuses the certificate, then NO website will ever use it. So you COULD NEVER be affected personally by this decision.

However if mozilla allows it and the company abuses it, all mozilla users will be subject to MASSIVE security holes.

If mozilla doesnt trust a company, then neither do I.

Anyway, if you dont like being secure, you can always ignore the warnings the browser gives you.

0
0
Anonymous Coward

Re:

Time to switch to Chrome if that happens.

Thanks for letting us spy on your HTTPS sessions.

Signed,

Your ISP.

0
0
Bronze badge
Black Helicopters

CAs

I've always been concerned about all CAs. Frankly the only person I really trust is myself but it's a shame browsers are so heavily prejudiced against self-signed certificates. And it's a total pain rolling out your own root CA in an environment with a mixture of devices and locations.

I've always thought that there must be a better way of verifying certificates by using DNS. Could you distribute a self-signed root cert or the serial in a DNS TXT record for that host? That way you could be confident that the cert belongs domain/subdomain owner (as confident as someone having access to an e-mail address at the domain which is what most CAs use for verification). This becomes even tighter with DNSSEC.

Anyway, I don't have the answers. But there has to be a better way than putting all your trust in a bunch of anonymous private CAs.

4
0

Re: CAs

DNSSEC itself relies on the DNS records being signed, and hence on the integrity of the CA chain. So no, it doesn't appear that verifying web certificates using information carried by DNS will help.

7
0
Silver badge
Happy

Why?

No good can come from this. By allocating resources to an investigation of what they consider crimes they are removing resources that could go into making a better product. Straying too far from your mission has killed off many companies & playing in global politics is about as off mission as Mozilla could possibly get.

2
2
Anonymous Coward

Re: Why?

Because they care about user security as their #1 priority.

If they allow some shady company to issue certificates, that a huge security hole.

There have been allegations of shady behavior, and so in true mozilla fashion they are doing research in the open to determine if their users are safer with allowing these certificates.

Since this is a new certificate that no websites currently have, denying this will not negatively affect anyone. IF they make the wrong decision and allow it, it could result in very huge privacy problems.

If this company does work with notorious regimes and uses certificates to help them, that will mean people will be spied on. (and likely killed)

There are real consequences to making the wrong decision here.

0
0
Silver badge

Don't care

First thing I do when I install a new browser is delete the "trusted" authorities. I know of no reason why I would trust any of these obscure, privately owned and unaccountable faceless multinationals. I decide on a site-by-site basis.

4
1
Silver badge

No real surprise

Telia has been on my "evil" list for about 15 years. So much bad stuff was routed through them in the late 1990s/early 2000s that I threw their AS in a local blackhole and have never seen a reason to remove it.

1
0
Silver badge
Big Brother

"it will be seen as a tough stance against corporations...

"...that trade with authoritarian states."

And what about governments who trade with authoritarian states? Can you name any, boys and girls...?

1
0

Page:

This topic is closed for new posts.