back to article Mozilla devs discuss ditching Dutch CA, because cryptowars

Concerns at the effect of The Netherlands' new security laws could result in the country's certificate authority being pulled from Mozilla's trust list. The nation's Information and Security Services Act will come into force in January 2018. The law includes metadata retention powers similar to those enacted in other countries …

I was going to...

...write a witty comment here but they already know what I was going to say.

5
1
Silver badge

Re: I was going to...

Very cryptic.

6
0
Big Brother

Re: I was going to...

Till I have the possession of everything she touches

Till I step on the brakes to get out of her clutches

Till I speak double dutch to a real double duchess…

New Amsterdam, Elvis C.

2
1
Anonymous Coward

Isn't it about time...

... that national CAs were only authorized to sign certificates for their own national TLD ?

10
0
G2

Re: Isn't it about time...

and they probably will do for *.google.nl, *.blogspot.nl, *.yahoo.nl.

in fact, they will probably just skip to forcing PKIOverheid to issue them *.nl certificate(s) for MITM.

3
0
K
Silver badge
Facepalm

Re: Isn't it about time...

That's a step backwards, the ideal of the internet were meant to be information with out borders.

Besides, you'd just get some slimey backroom deal, with most of the EU, US, Japan and AU sharing their roots.

I'm sure there's a good backdoor rooting joke in here somewhere.

4
0

Re: Isn't it about time...

"national CAs were only authorized to sign certificates for their own national TLD" . That's called DNSSEC. See also RFC7671, otherwise known as DNS Authentication of Named Entities (DANE).

3
1
Silver badge

Re: Isn't it about time...

"That's a step backwards, the ideal of the internet were meant to be information with out borders."

Reality has this annoying habit of disappointing idealists.

8
0
Silver badge

It's probably best to have state-backed certificates

That was you can enable and disable them when you want.

The alternative is some deal with a large commercial provider behind closed doors.

3
1
Anonymous Coward

Re: It's probably best to have state-backed certificates

Let us assume they're both equally corrupt, wouldn't that just open up corruption to even more players (ie. _ANY_ person/company that "funds" state politicians). But it doess fit the rule of government spending: Why buy one when you can have two at twice the price.

3
0

Re: It's probably best to have state-backed certificates

Hey, I agree with both of your statements!

- The meaning of what you wanted to tell...

- The Freudian slip in what you actually say

Nice one!

("way" and "was")

0
0
Megaphone

Advancing our civilization into less a democratic state...

This law, in Dutch nicknamed the "sleepwet" (sleep = drag, wet = law, so the "dragging law" somewhat), has already triggered a protest in which several organizations filed a petition for a referendum. Probably not much to anyone's surprise the referendum easily reached the required thresholds and we're looking forward to a referendum in the making. Unfortunately not a binding referendum but only an advisory one.

But during these times you really get to experience democracy at its finest. Because some of our politicians are already discussing the possibility to remove the right to petition for a referendum. Because it's obviously such a drag for our politicians to actually get confronted with the real opinion of its civilians.

You can say about Russia what you want but at least they didn't try to uphold a facade by calling their country a democracy but kept calling it communism. Over here we're supposed to have a democracy, but every time the civilians call out for that they more than often get stonewalled. And maybe worse in the future.

Such a wonderful world...

20
0
Anonymous Coward

Re: Advancing our civilization into less a democratic state...

> Unfortunately not a binding referendum but only an advisory one.

Be wary. The Brexit referendum was supposed to only be an advisory one too.

In the wrong hands, it can be made into "a clear public mandate" against the actual public interest.

20
2
Anonymous Coward

Re: Advancing our civilization into less a democratic state...

The public stated that more of us want to leave the EU than stay in it. Calling it an "advisory result" or "a mandate" is splitting hairs. Simply put, the people were asked a question and they answered. At that point you get to either do what the people said, or ignore them. Calling it "advisory" is just a way of saying that it would have been ok to ignore the will of the people, because you know, it was only advisory.

9
21
Anonymous Coward

Re: Advancing our civilization into less a democratic state...

" Calling it "advisory" is just a way of saying that it would have been ok to ignore the will of the people, because you know, it was only advisory."

Well, due the the voting structure in the UK, who people vote for often has no relevance to who gets into power.

13
2
Silver badge

Re: Advancing our civilization into less a democratic state...

The will of 37% of the electorate should be advisory to future government policy but shouldn't be able to drive the country off a cliff.

27
7
Anonymous Coward

Never do this

The Dutch recently had another advisory referendum (on the Ukrainian matter). The referendum result was "No". The Dutch government went ahead and just ignored that. Doesn't bode well...

Anyways, kudos to Mozilla for this move. Wish Microsoft and Google will follow suit, but I know it won't happen. They profit too much from the Dutch tax system to jeopardize that.

The invisible hand of the market is too deep in the government money pocket.

7
0

Re: Advancing our civilization into less a democratic state...

Read the Conservative manifesto 2015 - nothing advisory about it.

3
0
Silver badge

Re: Advancing our civilization into less a democratic state...

The Conservative manifesto doesn't matter (did they actually specify what kind of referendum it was going to be?), what matters is the EU Referendum Act 2015 and that did not make it legally binding.

9
0
Silver badge

Re: Advancing our civilization into less a democratic state...

"The will of 37% of the electorate should be advisory to future government policy but shouldn't be able to drive the country off a cliff."

It was more than who voted against and the ones who didn't vote obviously didn't give a damn , so chucking 37% around as if its a minority opinion is disingenuous at best.

7
15
Silver badge

Re: Advancing our civilization into less a democratic state...

"Because it's obviously such a drag for our politicians to actually get confronted with the real opinion of its civilians."

For opinions of its civilians I assume you mean the opinions of Millennials who make a lot of noise about everything they don't like on social media and expect the rest of the population to agree with them?

7
4
Silver badge

Re: Advancing our civilization into less a democratic state...

Government is supposed to be for everybody. If it's only carrying out one policy to keep what 37% of the country wanted on referendum day happy it won't last very long.

I notice you took no issue with the "drive the country off a cliff" bit.

9
4
Silver badge

Re: Advancing our civilization into less a democratic state...

The will of 37% of the electorate should be ...

So you are arguing instead that the 34.7% who voted to remain should have a larger say ? Ie, the classic argument by the losing side that the 27.8% who didn't vote would all actually have voted for the losing side. Put another way, sore losers are usually quick to abuse any stats they can to try and "prove" that they have been wronged.

It's more valid to suggest that those who didn't vote didn't care enough to express an opinion, or were simply happy to go with the majority result. Thus, up to 65.3% of the electorate wanted to leave - but not all of them got out and voted.

But since no-one can accurately know the opinions of all those who didn't express it, we have the tried and tested method of looking at the opinions of those who did - the highest turnout for an election/referendum in living history IIRC. Of those that did vote, a very clear majority wanted to leave.

If you have any complaint, and believe that the result should have been different with those missing votes - then your complaint should be against those who didn't get out and vote the way you wanted.

8
7
Silver badge

Re: Advancing our civilization into less a democratic state...

"Government is supposed to be for everybody. If it's only carrying out one policy to keep what 37% of the country wanted on referendum day happy it won't last very long."

Government goes on majority and if the number of opinions in question is more than 2 then a majority opinion may be less than 50%. This is basic maths, obviously something you have a problem with.

"I notice you took no issue with the "drive the country off a cliff" bit."

Because its nothing more than your opinion. State some facts and I'll discuss them.

3
6
Silver badge

Re: Advancing our civilization into less a democratic state...

If you have any complaint, and believe that the result should have been different with those missing votes - then your complaint should be against those who didn't get out and vote the way you wanted.

No, my complaint is against the government. The referendum is advisory (legally, there's no way around that, it was stated in the Act and the HoC library, and backed up by the courts), and it's wrong for the government to take the actions which affect the future of the whole country basted on only 37% of the electorate.

Government goes on majority and if the number of opinions in question is more than 2 then a majority opinion may be less than 50%. This is basic maths, obviously something you have a problem with.

Most referendums which change the direction of an entire country require a supermajority and/or a minimum number of participants to stop this kind of incessant argument which has been going on for 16 months.

7
4
Silver badge

Re: Advancing our civilization into less a democratic state...

"The referendum is advisory (legally, there's no way around that, it was stated in the Act and the HoC library, and backed up by the courts),"

Ah, the favourite word of the remoaner - "advisory". Yes , it was advisory and then there was then a vote in parliament that made the result mandatory. Which part of all that don't you grasp?

Plus I bet you wouldn't be complaining about the government keeping us IN the EU if the vote had gone the other way would you? No, of course you wouldn't.

I'll tell you something for free - you remoaners are just scared of change but you dress your opinions up as some considered economic or social argument to disguise the fact that you're pissing your pants in fear. The phrase "sore loser" doesn't even come close to doing you people justice. Whining pathetic twats who are scared to take risks would be much closer to the truth. Generation Snowflake at its finest.

5
8
Silver badge

Re: Advancing our civilization into less a democratic state...

At the top:

State some facts and I'll discuss them.

Then we come to the discussion at the post above...

Well that was disappointing and expected. If the guy in charge of Vote Leave says it's going to be a disaster, all that are going to be left are the Brexit Taliban.

0
4
Bronze badge
Go

Re: Advancing our civilization into less a democratic state...

What You Deserve Is What You Get.

(The ruling Christian Democratic Alliance has already said that they will ignore the result of the March referendum, like Madrid ignores Catalonia's independence referendum).

0
0
Anonymous Coward

Re: Advancing our civilization into less a democratic state...

"the ones who didn't vote obviously didn't give a damn"

Maybe they were fooled by the claim that it was only "advisory".

2
0
Silver badge

Re: Advancing our civilization into less a democratic state...

"...Whining pathetic twats...etc."

Have you ever considered a career in the diplomatic service?

2
0
Silver badge

Re: Advancing our civilization into less a democratic state...

The will of 37% of the electorate should be advisory to future government policy but shouldn't be able to drive the country off a cliff.

Also shows those who didn't vote clearly did not want to vote "stay" strongly enough to get off their arses and vote.

Of those who voted, what were the numbers - for or against? That's your answer to what should be done, as that is how democracy is supposed to work.

If you live in the UK you have 3 choices. 1) leave. 2) stay and make it work for you and yours, hard as that may be. Or 3, whine like a little girl.

If those on the "stay" side had put as much effort into encouraging people to vote their way as they do into crying about the result, maybe they would've gotten their way. Instead so many of them throw tantrums after the fact.

And yes, if it had gone the other way and it was the other side crying into their panties, I'd be saying much the same. I don't know if staying or leaving would be better for the UK, but as someone outside the UK I can say while I want what is best for the UK, I also feel the EU would be somewhat better with UK still involved. Now I just hope you get what is best for you.

3
0
Silver badge
FAIL

Re: Advancing our civilization into less a democratic state...

If it's only carrying out one policy to keep what 37% of the country wanted on referendum day happy it won't last very long.

So what you're saying is you shouldn't change the government at electrion, because if say 49.99% of the population vote for the opposition, 0.01% vote for the encumbants, and 50% don't vote then the government cannot chance because the opposition "didn't get a clear majority",

And yes, that is exactly what you're saying. You cannot assume that of those who couldn't care enough to vote, enough would've voted "stay" to have changed the outcome. More likely the numbers (% voting for vs % voting against) would've still been largely the same.

Governments are supposed to go the way the majority of the people want (and as someone from the "wrong side of the tracks" I'm glad they sometimes don't!), but often the only clear way for them to find out about that is via a referendum. Sure you can visit your MPs and express your views, but you might find your "no" is getting drowned out by someone who can hire 100 people to loudly demand "yes".

A referendum was held, the majorty of those who could be bothered voting said "leave". The government acted in accordance with democratic practice, good or bad. If you wanted a different outcome you should've made more effort to educate your fellows and get them in to vote. Know anyone who wanted to vote "stay" but who couldn't get to a polling booth (or couldn't figure out a postal vote or whatever other options you have), or who thought their vote wouldn't count, or any of the other reasons/excuses people give for not voting? Did you help them to vote, or give them good reason to vote? If yes, good on you and at least you tried. If not, the loss is on your hands.

(and yes, I did apply this to myself a few weeks back - and for the months leading up to our recent election - I almost got what I want and while not the clear victory I hoped for, a victory none-the-less (hopefully!)

1
0
Silver badge

Re: Advancing our civilization into less a democratic state...

Most referendums which change the direction of an entire country require a supermajority and/or a minimum number of participants

[citation needed]

(Seriously, I would love to see any reasonable reference to that (ie an opinion piece in the Mail won't count, but a reference to a couple of government's law sites that show this would be fine. I don't expect you to prove "most", I'm happy with a few countries having it codified into law that such an idea could exist - and yes I'll even allow places such as North Korea! (though getting a Nork "government online" site may be a bit of a challenge :) )

0
0
Silver badge

Re: Advancing our civilization into less a democratic state...

"the ones who didn't vote obviously didn't give a damn"

Maybe they were fooled by the claim that it was only "advisory".

Then they should've gone out, voted, and advised the government on what their desire was.

Simples, no?

2
0

Re: Advancing our civilization into less a democratic state...

@ ShelLuser

>Because some of our politicians are already discussing the possibility to remove the right to petition for a referendum.

Indeed. I visited your country this week, and caught a rather remarkable quote on your local daily newsnight program (called News Uur?). There, one of the commentators stated, that there was only one country that first implemented the possibility to call for a referendum, and then later amputated its citizens rights by abolishing it.

This was the DDR...

0
0

Re: Advancing our civilization into less a democratic state...

37% of eligible voters were in favour of Brexit. 35% were against it. 28% didn't vote. So we have no idea at all whether more people were for it or against it. Now we have a bunch of extremists insisting that we get out of the EU in as painful and damaging a way as possible and that any attempt to some to a sensible deal over the customs union and frontier controls is a denial of what people voted for - but the referendum didn't ask whether that sort of economically and socially disastrous sort of exit was wanted, and probably if it had asked that the answer would have been a resounding NO.

Back in the late 70s we had a Scottish deveolution referendum in which it was an explicit requirement that at the votes of at least 40% of those eligible to vote would be required to vote for a change for there to be any, and that seemed to be a common sense rule. I was in favour of change then, as were the majority of those who actually voted, but fewer that 40% of eligible voters voted for change so we didn't get the change, and no-one then claimed that he will of the people was being denied, perhaps because people in those days had rather more common sense than the anonymous coward to whom I'm replying.

2
1

Re: Advancing our civilization into less a democratic state...

Kiwi, you clearly don't know teh history or referenda in the UK in the 20th century.

Back when there was debate about devolution to Wales and to Scotland a number of eferenda were held. The laws enabling the referenda in the 1970s said explicitly that if fewer than 40% of eligible voters voted for change from the status quo, there would be no change. In the 1979 Scottish devolution referendum the devolve side took 52% of the vote, but as few meant fewer that 40% of the eligible votes were for devolve, devolution didn't happen. Those of us who were in favour of devollution didn't go round claiming that the government was denying the will of the people, we accepted it as just common sense that fewer than 40% didn't indicate a general desire in favour of what would be a fairly big change in the status quo. In 1997 a further Scottish devolution referendum was held, again a majority in favour and this time 45% of eligible voters (nearly 75% of actual voters) voted yes, resulting in the Scotland Act 1988 which set up a Scottish Parliament with substantial devolved powers. The Welsh referendum in the 1970s voted heavily against devolution, but in 1997 the Welsh voted in favour of limited devolution, and in another referendum in 2011 the Welsh voted in favour of increased powers for their devolved government.

1
0
Silver badge

Re: Advancing our civilization into less a democratic state...

37% of eligible voters were in favour of Brexit. 35% were against it. 28% didn't vote. So we have no idea at all whether more people were for it or against it.

A slim majority of those who voted - true. But a majority of those who voted say to leave. The government acted on that. That is how democracy works. If you'd had an election and you had 49.8% of the seats go to one party and 49.800001% go to the other party, the other party would win (under FPP).

The 28% who didn't vote are irrelevant as you have no way of measuring their will. IIRC a number of the polls before the referendum actually claimed that a higher % were in favour of leaving, so if that's the case then you have an indication that their desire was to leave. ICBW.

Now we have a bunch of extremists insisting that we get out of the EU in as painful and damaging a way as possible and that any attempt to some to a sensible deal over the customs union and frontier controls is a denial of what people voted for

It could be interpreted by some (rightly or reading-into-it-what-they-want-only wrongly) that the vote to leave was a kind of "we hate the rest of Europe and want OUT!" statement. It is even a correct statement to make in some cases, and that is what these people may be on about.

It could also be said that they believe the quickest possible exit is the best thing for the UK economically and politically (eg they buy into the "350mill/week for the NHS" stuff), and that's what they're acting on.

If you disagree, then do what you can to get the other side heard. Make your views known to your local MP. Don't appear as a homeless conspiracy theorist with extra mouthy frothiness (even if you are one!), give the best presentation you can. You may not change much, but if 100,000 of you speak up (rather than giving the rubbish excuse of "they won't listen") they might listen. Your MP may even want to say "My constituents want..." but is waiting for even just one to come forward and make that request. You could be the difference.

And if you have done that, then thanks for caring about your community and country enough to act.

Back in the late 70s we had a Scottish deveolution referendum in which it was an explicit requirement that at the votes of at least 40% of those eligible to vote would be required to vote for a change for there to be any, and that seemed to be a common sense rule.

I'm not entirely comfortable with minimal numbers (and I have seen some saying it should be a 75% minimum), but at least at 40% it appears to be encouraging stronger voter turnout.

(I own a tiny % of a Shetland pony that's not in the race, not even in the same county, but whose owner has a 50p bet on a horse that's running - but I still want what's best for the UK. If a quick exit cutting as many ties to the EC is what is best then that's what I want. Likewise, if a drawn out 5 year exit strategy is best, then that's what I want.)

0
0
Silver badge
Pint

Re: Advancing our civilization into less a democratic state...

Kiwi, you clearly don't know teh history or referenda in the UK in the 20th century.

Back when there was debate about devolution to Wales and to Scotland a number of eferenda were held. The laws enabling the referenda in the 1970s said explicitly that if fewer than 40% of eligible voters voted for change from the status quo, there would be no change.

Correct. Back in '79 I was in my first full calender year in primary school.

Were such minimums written into the brexit laws? Maybe they should've been, but they weren't.

we accepted it as just common sense

Common sense isn't always that sensible. It's what said shellshocked soldiers should be executed, it's what said Aboriginals are a subhuman species, gays are a disease, men have the right to beat their wives, slavery is good for the economy, and so many other wonderful pieces of history. I'm not saying you're wrong, just that when I hear someone use the term to justify something I remember what it has justified in the past.

0
0

This post has been deleted by its author

Anonymous Coward

I used to be proud of my passport..

.. but it has been going downhill for quite a few years decades now. Idiotic right wingers and demagogues getting a seat in parliament where "behave normal, that's mad enough" is loosely translated what used to be the norm and national intelligence services having influence and access way beyond what should be permissible in a normal democratic society.

What makes it worse it that it has not altered the position of the Netherlands as one of the main hubs for Internet crime, which suggests those arguments are merely excuses. Get local spam? If it has a number to call, it tends to be a Dutch cell (+31 6 ..). Trace down scams and spams? Well, if they're in the "developed" world (I used this word advisedly), chances are they're hosted in the Netherlands (there are also some small UK outfits in this game) - none of these so called "intelligence" service special privileges appears to be able to make a dent in them ..

.. unless they are their main customers.

Thank God for Kaspersky then.

7
1
Anonymous Coward

What's the point

What exactly do people think that The Netherlands will be able to do with these new powers that dropping their CA will help with? It's not like they will suddenly get access to the private key part of any certificate that they sign. I mean, if the law makes it so that they can compel people to hand over the private key, then the CA used for signing is irrelevant.

If the concern is that they will start creating fake certs for MITM purposes, then Certificate Transparency will solve that problem in April next year anyway. The browsers can just distrust whatever CT log they're publishing to. Any cert that they generate which isn't published to a CT log will not be trusted.

The only thing they can really do is perform targeted attacks against machines to steal keys and once again, distrusting the CA does nothing to help against this.

it seems like the only point to doing this would be to publicly shame them? In which case, why aren't we doing the same for all of the 5 eyes countries for a start?

3
0
Bronze badge

Re: What's the point

> In which case, why aren't we doing the same for all of the 5 eyes countries for a start?

There's certainly an argument to be made that whatever The Netherlands might legislate for in the open, would be possible to do in the background under the guise of most 'national security' provisions of many countries.

5
0

Let's Ditch TLS Alltogether

TLS is

-overly complex. Implementations take between 27k to 400k lines of code. Nobody bothered to seriously review OpenSSL for that reason for more than a decade.

-security-wise wedded to the CAs. Several CAs have been hacked and bogus certificates issued.

Here is my proposal for an alternative:

https://github.com/DiplIngFrankGerlach/MST ("Minimal Secure Transport")

MST is

+small (less than 1k lines of code). Any competent security researcher can review the code, not just the concept

+giving you all conceptual assurances TLS is giving you

+only reliant on AES, no other ciphers/MACs

+not using Public Key crypto. One potential weakness less.

0
2
Silver badge

Re: Let's Ditch TLS Alltogether

But (I guess) this doesn't have any authentication though so it's not suitable for banks, payments, etc...

1
0

MST Assurances

Not correct, please refer to WhyMST.html, which states:

<h1>Which Assurances Are Provided By MST ?</h1>

Similar to SSL/TLS, MST assures that

<list>

<li>messages are obfuscated</li>

<li>messages cannot be replayed by an attacker</li>

<li>messages cannot be modified by an attacker</li>

<li>messages cannot be constructed by an attacker</li>

<li>identical messages do not encrypt to identical ciphertext</li>

</list>

MST contains an encrypted HMAC and an attacker will not be able to forge a message unless he is in possession of the AES key which encrypts the plaintext plus the HMAC. All bogus messages will be automatically discarded.

0
1
Silver badge

Re: MST Assurances

I mean, it's an encrypted connection, but the client won't be clearly told in the URL bar if they're talking to hsbc.com (HSBC) or hbsc.com (Bank of Phish). There's nothing like Extended Validation.

0
0

Re: MST Assurances /Authentication of Server

A browser supporting MST would have a GUI where the user enters Name of Institution, server name plus key material. The source of that would be either a postal letter or a printout from the institutions branch office.

That user supplied comment would then be displayed instead of the URL.

0
0
Anonymous Coward

Re: Let's Ditch TLS Alltogether

Downvote for snakeoil github repo, barely documented protocol, no cryptographic analysis, and the fact that it's useless in almost all practical applications (how are you going to exchange a shared secret with amazon.com ?)

For a real "minimal" cryptosystem designed by a real cryptographer, please see NaCl.

The only problem with DJB's work is that there's nothing which competes with it

2
0

Sure, Mr Anonymous Coward

MST is "snakeoil", but you do not dare to attach your name to this verdict. Again, attack my arguments, my design choices, the protocol, but please spare me your unfounded non-arguments.

MST is designed to be efficient and as simple as possible. I am glad to answer any detailed, REAL questions which you can come up with.

I could call NaCL "snakeoil", too. Without any arguments, just like you did with MST.

0
2

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018