back to article Firefox 'death sentence' threat to TeliaSonera over gov spy claims

Firefox-maker Mozilla could issue a "death sentence" to TeliaSonera's SSL business over allegations the telecoms giant sold Orwellian surveillance tech to dictators. The punishment would be an embarrassing blow to the company: it would effectively cut off HTTPS-encrypted websites verified by TeliaSonera from Firefox users, who …

COMMENTS

This topic is closed for new posts.
  1. HereWeGoAgain

    The UK government?

    When is Mozilla going to revoke root certs for any provider that supplies the UK government? The snoop-on-everyone law has passed the rubber stamp called parliament. This pernicious law will not be targeted, it will capture ALL traffic for ALL users.

    1. Anonymous Coward
      Anonymous Coward

      Re: The UK government?

      "... it will capture ALL traffic for ALL users..."

      If you're going to object to something, at least try to understand what it is you're objecting to. A very small amount of critical thinking would suggest that there isn't enough storage in the world to store all traffic for all users.

      Personally I'm generally speaking against this law, but people who don't understand it and bang on about everyone's data being kept by the government for ever really don't help mount a credible case against the law.

      1. Anonymous Coward
        Anonymous Coward

        Re: The UK government?

        3 open responses: to 'people who don't understand it'

        A) a quick data-mining signature-based first sift of the UK's telecoms morning traffic would give the MinTruth enough data to start hounding the targets of the day. (according to French press Amesys actually programmed the human targets in to the DPI systems that were installed in Ghadaffi's Libya - the argument that DPI monitoring is a dual-use weapon don't hold when it has seemingly already been sold as a loaded weapon!)

        B) Ohio is seeing the construction of a large enough hard disk to store everything in the world for all users. Many nations export all their internet data to 'partners' - including Sweden, why?

        C) the various human rights treaties that were pushed post-WWII by Sir Winston Leonard Spencer-Churchill, KG, OM, CH, TD, DL, FRS, Hon. RA (30 November 1874 – 24 January 1965) have the keyword 'proportional' that seems to be missing from most of the UK's current and planned future activities...he certainly understood "it"

        1. Anonymous Coward
          Anonymous Coward

          Re: The UK government?

          correction of response B)

          The Ohio news reports today that the new NSA Bluffdale Utah data-centre will not be used for spying on (US) email. ...so that's OK then.....I guess they'll just be using their PCIe gen3 GPU Appliance crates to mint Bitcoins?

          http://www.dispatch.com/content/stories/national_world/2013/04/16/nsa-utah-facility-not-for-spying-on-email.html

          meanwhile I forgot to mention SSL, and FF; personally - and I speak for myself here - I tend to use Chrome more as FF doesn't handle SSL certificates in the most trustworthy way - Mozilla might have suffered 'Market Capture' and a very tight/protected/extensionified Chrome is safer to use?

          http://blog.malwarebytes.org/intelligence/2013/02/digital-certificates-and-malware-a-dangerous-mix/ describes the use of a poisoned pdf file to download from a cloud a ten megabyte banking-attack trojan, all software was digitally signed using a valid digital certificate. The fake Brazilian company that recently bought the signing certificate from DigiCert previously used another fake company in November 2012 for similar attacks. Presumably they will attack again now that their second certificate has been revoked. Online crime is lucrative and low-risk for the attackers.

          Trust and Security of the entire internet is based on Netscape's invention of SSL. Proving that our current X.509 Browser/Certificate Authority SSL trust-relationship is broken is data gathered by the SSL Observatory and others, particularly http://www.ccssforum.org/malware-certificates.php where 124 fake no, Real CA signing certificates have been used by malware authors.

          As any certificate can be used to sign any domain, (e.g. TurkTrust signing *.google.com recently) the PKI infrastructure is just as secure as its weakest link, and the weakest links are not secure (in absolute context they are mostly but not completely secure) The 124 real certificates were purchased over 2.5 years.

          So that's a background level of around 60 certificates a year purchased fraudulently - out of millions used mostly correctly. To this can be added the numbers of stolen SSL certificates (hundreds to unknown, maybe thousands) and the 'Nation State' 'misuse' of SSL proxy certificates to which only South Korea has officially admitted but is widespread (millions), and increasing with the greater use of national DPI/Proxy systems. So the odds to be hit hard by targeted malware that bypasses current OS & Browser & AV detection are slightly better than winning a lottery - but with worse results!

          Crypto academics currently claim privately that the Certificate Authorities and Browser manufacturers live in a state of capture, neither wishing to change a lucrative revenue model, the faults are known, but are ignored by most Browser organisations. Trust in the current Certificate Authorities and Browser implementation is misplaced. Their industry body "CABForum" seems to have been designed to resist change, and simply enforce their 1990 model of security.We are 20 years beyond Netscape in terms of threats and challenges!

          CA/Browser Forum "a voluntary online security standards organisation" (public is not allowed to participate) Members are here <https://www.cabforum.org/forum.html> Apple, Google, Microsoft, Opera, Mozilla + certificate authorities

          Slow change maybe coming to the CABForum? http://www.darkreading.com/security/news/240005230/ca-browser-forum-s-mandated-royalty-free-intellectual-property-policy-change-spurs-entrust-to-withdraw-from-organization.html This article explains why Entrust has recently withdrawn from CABForum, apparently over IPR issues but mostly quote "many smaller, unproven CAs are empowered with issuing digital certificates that could very well jeopardize the trust and security of the entire Internet. Entrust can't support this position."

          When the No.2 Certificate Authority is saying that things might be bad - I'd tend to agree with them!

          1. Irongut Silver badge

            Re: The UK government?

            "I tend to use Chrome more as FF doesn't handle SSL certificates in the most trustworthy way - Mozilla might have suffered 'Market Capture' and a very tight/protected/extensionified Chrome is safer to use?"

            What do you mean by that loaded statement? Like most of your post provided without any explanation or evidence. Since you seem to be worried about your security why do you think a browser that is monitoring you for an ad agency is more secure?

            1. Anonymous Coward
              Anonymous Coward

              Re: The UK government?

              you're right its only a point of view that Mozilla\Apple\MS browsers might have suffered regulatory\Market capture through the CA/Browser forum. Google is provenly the only browser that detected and published Iranian SSL Gmail certificate hijacks, that's because Google , for all their advertising evil, is currently 'on-side' for freedom enabling communications in a few areas. This phrase "Certificate pinning: Pinning was introduced in Google Chrome 13 in order to limit the CA's that can issue certificates for Google properties" taken from http://nelenkov.blogspot.it/2012/12/certificate-pinning-in-android-42.html explains why Google is doing this, it doesn't explain why the rest of the CA/Browser Forum try and party like it's 1999!

              (Google Chrome's adverts can still be managed with aggressive Ghostery et al Plugins - for the time being, Google has of course started to block some plugins on mobile......)

        2. Yet Another Commentard
          Big Brother

          Re: The UK government? @AC 12:19

          Minitrue. The Newspeak word is Minitrue.

          <<<<<Obviously.

          1. Anonymous Coward
            Anonymous Coward

            Re: The UK government? @AC 12:19

            Also shrieking about 1984 doesn't help make a credible, level headed case...

        3. Anonymous Coward
          Anonymous Coward

          Re: The UK government?

          "B) Ohio is seeing the construction of a large enough hard disk to store everything in the world"

          Am I the only one envisioning an enormous construction site, complete with bulldozers, cranes, dump trucks, and so on, all of which are working on/around a Winchester disk drive the size of a Walmart?

      2. Anonymous Coward
        Anonymous Coward

        Re: The UK government?

        > A very small amount of critical thinking would suggest that there isn't enough storage in the world to store all traffic for all users.

        But... but... they're buying Office365.

  2. wayne 8
    Big Brother

    does not provide lawful interception...

    "As for all operators, TeliaSonera does not provide lawful interception surveillance services beyond those required by lawful legislation."

    Leaves open the door that they could be providing illegal services. Maybe just an English translation issue and not lawyer-speak.

    This is going on all over the world. There is no "Free World" anymore.

  3. Anonymous Coward
    Anonymous Coward

    Tough stance?

    Will we see the same stance taken against Google, MS et al? All of whom have traded with dictators and states the abuse human rights (e.g. China). And blocking TLDs of states that trade with dictators and abusers of human rights? (e.g. .uk)?

    No? Didn't think so.

    Obvious PR stunt is obvious.

    1. P. Lee

      Re: Tough stance?

      An obvious PR stunt perhaps, but that doesn't mean that it isn't useful to more than just mozilla.

      If criminals want to use SSL they can generate their own, non-snoopable certs. "Lawful interception" with or without TeliaSonera won't get you the cleartext for that. Indeed, most corporates do that internally because they can't be bothered to pay for certs.

      The interception comes in where people are accessing "public" infrastructure, such as gmail, banks etc and the government wants to do man-in-the-middle spoofing. The hardened criminal will so sensible things like deleting all root certs and making an exception for that service from a "safe" net connection. However, as a general "let's snoop on the populace" tactic, skeleton root keys come into their own.

      The problem is that TS is setting itself up selling security systems to keep things secret. If it then goes around selling imitation vaults, it can hardly expect vault users not to kick up a fuss.

      1. This post has been deleted by its author

  4. Anonymous Coward
    Anonymous Coward

    Others have done it

    The root program needs to be tightened up if this criteria is going to be considered. for a root CA key to be admitted to the browser stores they normally need to be audited to the Webtrust standard or similar. That is mostly technical and operational and doesn't go into the politics of an outfit.

    Others have been guilty of issuing mitm certs recently and weren't removed, maybe its time to clear out the root CAs a little and add to the certification process.

    1. Anonymous Dutch Coward
      Headmaster

      Re: Others have done it

      This criterium, my dear chap, these criteria...

      1. PJ 1

        Re: Others have done it

        Criterium = cycle race

        Criterion = singlular noun of which plural = criteria

  5. bearded bear can
    Thumb Up

    Uzbekistan

    well, its dictator and his daughter, are among TeliaSonera's customers. Also, TeliaSonera culture still suffers from being a spinoff from a once government controlled monopoly. They are on my evil list.

  6. Vimes

    One way to check and see if your SSL traffic is being exposed to a man in the middle attack:

    https://www.grc.com/fingerprints.htm

    1. Yet Another Anonymous coward Silver badge

      But how do you know you are going to the real www.grc.com if your ISP has sold root CAs to everybody+dog?

  7. Schultz
    Thumb Up

    Kick their certificate out...

    and I will switch to Firefox. Whatever that is worth.

  8. Anonymous Coward
    Anonymous Coward

    Mmmmmm

    Ok I can see the rights of this, but then you are also punishing innocent people (re: customers) for your own political views.

    Where does it end?

    Block all Saudi sites? Chinese? Indonesian (look up West Papua New Guinea abuses for that one)?

    It's a dangerous game when politics enter when a company that heralds itself as a bastion of a free and open web starts playing politics.

    1. Anonymous Coward
      Anonymous Coward

      Re: Mmmmmm

      Indeed. The US executes people as a punishment, most of the rest of the world doesn't, should they lose their certificates? The US has also been ........ well I'm sure you all know the long list of bad things they've been caught doing.

      I'm fairly sure they've got access to decrypt SSL traffic too, using much the same mechanisms.

      While I'm sure there are governments out there (North Korea, for example) who I think should be blocked like this we also need to make sure we don't start throwing stones in our glass houses.

      1. Anonymous Coward
        Facepalm

        Re: Mmmmmm

        "I'm sure you all know the long list of bad things they've been caught doing."

        Indeed, it's hardly possible to read the El Reg comments without being reminded of them, regardless of the context.

    2. Anonymous Coward
      Anonymous Coward

      Re: Mmmmmm

      You seem to be missing the whole point - this is not directed at any specific country or their companies, nor is it about companies that might also produce dubious spy products.

      It is the concern that the SSL they want Mozilla to include will be used for spoofing sites, so it is a direct abuse of the certificate for evil, and not that evil acts are perpetrated by some other branch of the company.

      1. hayseed

        Re: Mmmmmm

        Something that can be done now in Firefox is revoking CAs you don't trust yourself - they did this some time after a Firefox variant patched so it would not rely on certain Chinese CAs.

    3. This post has been deleted by its author

    4. Old Handle
      Go

      Re: Mmmmmm

      You can look at it that way, and wouldn't be entirely wrong. But you also have to look at the technical side. A Certificate Authority is only as good as their word. Giving their word is their only job in fact. They say "Yep this website is the real deal" or "This other guy can also be trusted to tell you whats legit". Now I haven't read any details about exactly what sort of surveillance tech they're accused of selling, but my suspicion is that it involved interception devices certified as a legitimate source for everything (i.e. *.com, *.org, *.uk, etc). If true, that would completely destroy they credibility as a Certificate Authority in my book.

      And distrusting them in the future is really the only remedy for something like that. It's not the same as blocking certain domains because their governments are bad. In fact you'd still be able to go to sites they certify, you'd just have to click through some (admittedly very aggressive) warnings that Firefox doesn't consider the certificate trustworthy.

  9. Chad H.

    This seems like the opposite of open source...

    So Mozilla is going to cut off its users from some secure content because they don't like what some third party is doing?

    How does this make them different from the dictators they're trying to strike against... It's still "do what I say or else".

    By all means support and encourage methods to subvert totalitarian control, but the instant you block content is the instant you become just like them.

    And the instant you accept coladeral damage to non involved people is the instant you need to be stopped.

    1. Anonymous Coward
      Thumb Down

      Re: This seems like the opposite of open source...

      How does this make them different from the dictators they're trying to strike against... It's still "do what I say or else".

      You have a choice of what browser you use. You don't have a choice on what dodgy cert is presented to you.

    2. David Pollard

      Re: This seems like the opposite of open source...

      The source code is out in the open for anyone who wishes to recompile it with improved facilities for government interception of their communications.

    3. Yet Another Anonymous coward Silver badge

      Re: This seems like the opposite of open source...

      No Mozilla is saying that this telco has signed root CAs for dodgy countries that allow them to fake being any site they want - Mozilla is going to stop trusting all CA signed by this ISP.

    4. Adam 1

      Re: This seems like the opposite of open source...

      It doesn't even stop Firefox from visiting those sites. You just get a warning and a recommendation not to proceed.

    5. This post has been deleted by its author

  10. John Sanders
    Trollface

    Eurovision?

    Someone tampering with the Eurovision contest voting system is a disturbing thought....

  11. Anonymous Coward
    Anonymous Coward

    Certs, the future of security...?

    Considering the recent Reg articles on :-

    A. How Certs have been hacked and captured for Malware i.e. Bit9 hacked...

    B. The expired SSL certificate that caused Microsoft Azure outages...

    ...Maybe we need to re-think the safety of the SSL CA security model...?

    1. Yet Another Anonymous coward Silver badge

      Re: Certs, the future of security...?

      The SSL CA model never worked - it was based on the idea that companies which made money from selling the most SSL CA would be in charge of policing that only legitimate customers bought them

      It's as crazy as subcontracting out the maintenance of a railway to a company that made a bigger profit by doing less maintenance - nobody would be that stupid.

  12. KitD

    Can of worms

    I suspect you're going to find dodgy dealings in the backgrounds of most root CAs. Taking a stand with this one looks a bit dogmatic.

  13. Vimes

    Personally I don't see why they don't just make it easier for the end user to select which CAs they want to trust. If they did this then the only thing that those working on firefox would need to care of would be the maintenance of a blacklist that people can either choose to use or ignore.

    1. Anonymous Coward
      Anonymous Coward

      Time to switch to Chrome if that happens.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re:

        Time to switch to Chrome if that happens.

        Thanks for letting us spy on your HTTPS sessions.

        Signed,

        Your ISP.

    2. Anonymous Coward
      Anonymous Coward

      People can select and even add self-made CAs in their browser. But most people do not understand SSL as we can clearly see from some of the comments here.

      If a CA does something that breaks SSL i.e. issuing skeleton keys to governments which allow them to fake any website seamlessly does deserve to be removed from all browsers not just firefox. Because it does exactly the opposite of what it is suppose to be doing, trust is lost and the CA no longer as an 'A' just a 'C'.

      It's just common sense not sure what some of you people are on about.

  14. batfastad
    Black Helicopters

    CAs

    I've always been concerned about all CAs. Frankly the only person I really trust is myself but it's a shame browsers are so heavily prejudiced against self-signed certificates. And it's a total pain rolling out your own root CA in an environment with a mixture of devices and locations.

    I've always thought that there must be a better way of verifying certificates by using DNS. Could you distribute a self-signed root cert or the serial in a DNS TXT record for that host? That way you could be confident that the cert belongs domain/subdomain owner (as confident as someone having access to an e-mail address at the domain which is what most CAs use for verification). This becomes even tighter with DNSSEC.

    Anyway, I don't have the answers. But there has to be a better way than putting all your trust in a bunch of anonymous private CAs.

    1. Scott Wheeler

      Re: CAs

      DNSSEC itself relies on the DNS records being signed, and hence on the integrity of the CA chain. So no, it doesn't appear that verifying web certificates using information carried by DNS will help.

  15. Don Jefe
    Happy

    Why?

    No good can come from this. By allocating resources to an investigation of what they consider crimes they are removing resources that could go into making a better product. Straying too far from your mission has killed off many companies & playing in global politics is about as off mission as Mozilla could possibly get.

    1. This post has been deleted by its author

  16. Anonymous Coward
    Anonymous Coward

    Don't care

    First thing I do when I install a new browser is delete the "trusted" authorities. I know of no reason why I would trust any of these obscure, privately owned and unaccountable faceless multinationals. I decide on a site-by-site basis.

  17. Alan Brown Silver badge

    No real surprise

    Telia has been on my "evil" list for about 15 years. So much bad stuff was routed through them in the late 1990s/early 2000s that I threw their AS in a local blackhole and have never seen a reason to remove it.

  18. Graham Marsden
    Big Brother

    "it will be seen as a tough stance against corporations...

    "...that trade with authoritarian states."

    And what about governments who trade with authoritarian states? Can you name any, boys and girls...?

    1. Anonymous Coward
      Anonymous Coward

      Re: "it will be seen as a tough stance against corporations...

      Is the answer "The LSE"?

  19. Alan Denman

    what I do ....

    is stay quiet and listen when my sphere of knowledge gets too close zero.

    1. Adam 1

      Re: what I do ....

      I am afraid that you have misunderstood the concept of an internet forum.

  20. Ramazan

    Articles like that should always provide step-by-step instructions about how to turn off the CA's certs. For example:

    in Mac OSX Mountain Lion: Launchpad->Other->Keychain Access->Keychains->System Roots:

    * Sonera Class1 CA -> Trust -> Never Trust

    * Sonera Class2 CA -> Trust -> Never Trust

    // Hope I've found all TeliaSonera's certs. Please note that it's called Sonera in OSX keychain, not TeliaSonera. And it's from Finland (didn't see this mentioned in the article too).

    1. Anonymous Coward
      Anonymous Coward

      TeliaSonera is Telia from Sweden + Sonera from Finland, now one company. Like StoraEnso with Stora from Sweden ans Enso from Finland.

  21. This post has been deleted by its author

  22. mickey mouse the fith
    Stop

    Weasel words

    So they are basically only selling backdoors in their security product to any government that requires it for " Legal law enforcement"?. Well thats reasuring then, considering its legal for el presedente to do what the fuck he likes because he makes the laws and decides whats legal in his nasty little dictatorship in the first place.

    Mozilla are absolutely right in flagging this up, whats the point in having a security certificate that really doesnt secure anything?

    Also, backdoors in security products, what could possibly go wrong?

  23. Anonymous Coward
    FAIL

    CAs

    If you are a certificate authority, you have *one job*, which is to ensure that certificates accurately match who owns them. If this company falsified a certificate, for anyone, then they have violated the trust which is their product, and have no right to be in business, or to be trusted by anyone.

    1. Anonymous Coward
      Anonymous Coward

      Re: CAs

      They're also bound to obey the law. And when the two conflict, the law takes precedence. A sealed court order to deliver a signed certificate to the intelligence services for a certain domain, on penalty of punishment, unfortunately trumps the "don't falsify a certificate" job. Which is why browsers should give users a simple way of detrusting (or selectively trusting, perhaps based on allowing certain TLD's or country codes only) some of the lesser known CA's.

  24. Anonymous Coward
    FAIL

    To the posters who don't seem to "get" this...

    It isn't the particular country or what they did that is of issue. It is that Telia violated the trust of the certificate system, and as such they should not be allowed to be part of it.

    Mozilla maintains a list of companies they trust to secure your network traffic. If Mozilla finds that one of these companies has a practice of issuing fraudulent (not for the actual party listed on the cert) certificates, then how on earth could Mozilla keep that company in their list of "trusted" certificate authorities?

  25. mhenriday
    Big Brother

    «Trusted CAs must not supply surveillance equipment to repressive regimes»

    With all due respect, Mozilla - to which I am, by the way, immensely grateful for a wonderful product and, not least, for busting Microsoft's web browser quasi-monopoly - can you provide an example of any other kinds of «regime», i e, government, than repressive ones ? Perhaps the above statement should be modified to «Trusted CAs must not supply surveillance equipment to governments, corporations, organisations, etc, etc» ?...

    Henri

  26. Gordon 10 Silver badge
    Unhappy

    Symptom not a cause

    the fact is that whilst CA's are regional, national (or international) entities they have to comply with the laws of the territory they operate in. Therefore its the CA issuing system thats broken not anything else. Since this is at heart a technical flaw in the system and will remain so until such time as certs (or their future state equivalents) can be issued independently of any political or legal interference - Is this even at all possible?

    Not wanting to defend Telia but they may have no choice but to facilitate MiTM monitoring if they operate in that country - and as noted - its not just authoritarian states that may wish to do this.

    Im sure all of us can forsee a time when the "freedom loving democracies" have or propose laws which go something like this(if they dont already have them that is) :

    1. Permit MitM attacks.

    2. Dont talk about 1.

    1. Anonymous Coward
      Anonymous Coward

      Re: Symptom not a cause

      and not forgetting

      3. the organization that plausibly organized the MiTM CA backdoors (cough..STC/ILETS cough) doesn't even exist! (according to the ancient leaked memo of one of their meetings )

      although a Google search produces the following interesting history....

      ECFS Filing: VeriSign Inc (04-295) - 11/04/2004 - FCC

      ecfsdocs.fcc.gov › CGB - Traducir esta página

      04/nov/2004 – 3.11 STC / ILETS

      VeriSign links? must just be cross contamination of a Google search database, I dunno what it all means

  27. Anonymous Coward
    Anonymous Coward

    Ah, the defective-by-design implementation of SSL certificates, where any trusted entity on the planey can issue a certificate for any site they like. Why the fuck should some entity in Azerbuckistan be able to sign a .com domain? It's about time browsers implemented some sanity checking on certificates, to at least let the user choose whether to accept a .com signed by some weird third world certification authority.

  28. Anonymous Coward
    Anonymous Coward

    This should apply to all network companies then

    There is couple of ways to intercept GSM traffic. Easiest one is to hook to bade station (BS) and tap the calls from there. If you are a regime, that wants to do so, no-one can block you. 10 years ago the kit decrypting live calls in the area of GSM cell was around size of a briefcase, I have been told. That is a reason why privacy concerned goverments have upgraded reguirement of cryptographic capabilities of live networks to A5. Oddly enough there is even EU countries that - at least still few years ago - mandated GSM cipher to be maximum of A2 level (and it was well known that the briefcase size commercial deciphering kit had been around for years). WCDMA has made live network eavesdroping harder, but it still don't block eavesdroping in BS. And of course HLR will keep your call/data/messaging logs, so at least that will be availabe to the authorities of the operating country.

    1. Anonymous Coward
      Anonymous Coward

      Re: This should apply to all network companies then

      "Legitimate" interception (ie, with warrants, complying with local laws, etc etc) is as simple as showing up to the telco and switching on a feed from the switch for the numbers concerned. I've worked for telcos and gone though all this stuff in detail over the years.

      The legal uses for which a "briefcase sized" snoop module can comfortably be numbred on one hand (the main one which springs to mind is to work out what phone number(s) someone under surveillance is carrying before putting an intercept out on it and doing that doesn't require decrypt capabilities). That's an espionage tool, not a legitimate one.

      (Telcos can also provide all data/calls for a particular area or cell, on-demand when required, but good luck getting a warrant for that unless you're tracking Unabomber or simliar)

      In any case, paranoia decrees that one assumes a network is vulnerable, crypted or not. Them what are doing "bad stuff" already work on that assumption and either keep things off-air or use at least another layer of crypto+misdirection on top. There hasn't yet been a decryption method developed which can defeat one time pads, as a for instance.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021