Firefox 'death sentence' threat to TeliaSonera over gov spy claims Firefox-maker Mozilla could issue a "death sentence" to TeliaSonera's SSL business over allegations the telecoms giant sold Orwellian surveillance tech to dictators. The punishment would be an embarrassing blow to the company: it would effectively cut off HTTPS-encrypted websites verified by TeliaSonera from Firefox users, who …
"... it will capture ALL traffic for ALL users..."
If you're going to object to something, at least try to understand what it is you're objecting to. A very small amount of critical thinking would suggest that there isn't enough storage in the world to store all traffic for all users.
Personally I'm generally speaking against this law, but people who don't understand it and bang on about everyone's data being kept by the government for ever really don't help mount a credible case against the law.
3 open responses: to 'people who don't understand it'
A) a quick data-mining signature-based first sift of the UK's telecoms morning traffic would give the MinTruth enough data to start hounding the targets of the day. (according to French press Amesys actually programmed the human targets in to the DPI systems that were installed in Ghadaffi's Libya - the argument that DPI monitoring is a dual-use weapon don't hold when it has seemingly already been sold as a loaded weapon!)
B) Ohio is seeing the construction of a large enough hard disk to store everything in the world for all users. Many nations export all their internet data to 'partners' - including Sweden, why?
C) the various human rights treaties that were pushed post-WWII by Sir Winston Leonard Spencer-Churchill, KG, OM, CH, TD, DL, FRS, Hon. RA (30 November 1874 – 24 January 1965) have the keyword 'proportional' that seems to be missing from most of the UK's current and planned future activities...he certainly understood "it"
correction of response B)
The Ohio news reports today that the new NSA Bluffdale Utah data-centre will not be used for spying on (US) email. ...so that's OK then.....I guess they'll just be using their PCIe gen3 GPU Appliance crates to mint Bitcoins?
http://www.dispatch.com/content/stories/national_world/2013/04/16/nsa-utah-facility-not-for-spying-on-email.html
meanwhile I forgot to mention SSL, and FF; personally - and I speak for myself here - I tend to use Chrome more as FF doesn't handle SSL certificates in the most trustworthy way - Mozilla might have suffered 'Market Capture' and a very tight/protected/extensionified Chrome is safer to use?
http://blog.malwarebytes.org/intelligence/2013/02/digital-certificates-and-malware-a-dangerous-mix/ describes the use of a poisoned pdf file to download from a cloud a ten megabyte banking-attack trojan, all software was digitally signed using a valid digital certificate. The fake Brazilian company that recently bought the signing certificate from DigiCert previously used another fake company in November 2012 for similar attacks. Presumably they will attack again now that their second certificate has been revoked. Online crime is lucrative and low-risk for the attackers.
Trust and Security of the entire internet is based on Netscape's invention of SSL. Proving that our current X.509 Browser/Certificate Authority SSL trust-relationship is broken is data gathered by the SSL Observatory and others, particularly http://www.ccssforum.org/malware-certificates.php where 124 fake no, Real CA signing certificates have been used by malware authors.
As any certificate can be used to sign any domain, (e.g. TurkTrust signing *.google.com recently) the PKI infrastructure is just as secure as its weakest link, and the weakest links are not secure (in absolute context they are mostly but not completely secure) The 124 real certificates were purchased over 2.5 years.
So that's a background level of around 60 certificates a year purchased fraudulently - out of millions used mostly correctly. To this can be added the numbers of stolen SSL certificates (hundreds to unknown, maybe thousands) and the 'Nation State' 'misuse' of SSL proxy certificates to which only South Korea has officially admitted but is widespread (millions), and increasing with the greater use of national DPI/Proxy systems. So the odds to be hit hard by targeted malware that bypasses current OS & Browser & AV detection are slightly better than winning a lottery - but with worse results!
Crypto academics currently claim privately that the Certificate Authorities and Browser manufacturers live in a state of capture, neither wishing to change a lucrative revenue model, the faults are known, but are ignored by most Browser organisations. Trust in the current Certificate Authorities and Browser implementation is misplaced. Their industry body "CABForum" seems to have been designed to resist change, and simply enforce their 1990 model of security.We are 20 years beyond Netscape in terms of threats and challenges!
CA/Browser Forum "a voluntary online security standards organisation" (public is not allowed to participate) Members are here <https://www.cabforum.org/forum.html> Apple, Google, Microsoft, Opera, Mozilla + certificate authorities
Slow change maybe coming to the CABForum? http://www.darkreading.com/security/news/240005230/ca-browser-forum-s-mandated-royalty-free-intellectual-property-policy-change-spurs-entrust-to-withdraw-from-organization.html This article explains why Entrust has recently withdrawn from CABForum, apparently over IPR issues but mostly quote "many smaller, unproven CAs are empowered with issuing digital certificates that could very well jeopardize the trust and security of the entire Internet. Entrust can't support this position."
When the No.2 Certificate Authority is saying that things might be bad - I'd tend to agree with them!
"I tend to use Chrome more as FF doesn't handle SSL certificates in the most trustworthy way - Mozilla might have suffered 'Market Capture' and a very tight/protected/extensionified Chrome is safer to use?"
What do you mean by that loaded statement? Like most of your post provided without any explanation or evidence. Since you seem to be worried about your security why do you think a browser that is monitoring you for an ad agency is more secure?
you're right its only a point of view that Mozilla\Apple\MS browsers might have suffered regulatory\Market capture through the CA/Browser forum. Google is provenly the only browser that detected and published Iranian SSL Gmail certificate hijacks, that's because Google , for all their advertising evil, is currently 'on-side' for freedom enabling communications in a few areas. This phrase "Certificate pinning: Pinning was introduced in Google Chrome 13 in order to limit the CA's that can issue certificates for Google properties" taken from http://nelenkov.blogspot.it/2012/12/certificate-pinning-in-android-42.html explains why Google is doing this, it doesn't explain why the rest of the CA/Browser Forum try and party like it's 1999!
(Google Chrome's adverts can still be managed with aggressive Ghostery et al Plugins - for the time being, Google has of course started to block some plugins on mobile......)
"B) Ohio is seeing the construction of a large enough hard disk to store everything in the world"
Am I the only one envisioning an enormous construction site, complete with bulldozers, cranes, dump trucks, and so on, all of which are working on/around a Winchester disk drive the size of a Walmart?
"As for all operators, TeliaSonera does not provide lawful interception surveillance services beyond those required by lawful legislation."
Leaves open the door that they could be providing illegal services. Maybe just an English translation issue and not lawyer-speak.
This is going on all over the world. There is no "Free World" anymore.
Will we see the same stance taken against Google, MS et al? All of whom have traded with dictators and states the abuse human rights (e.g. China). And blocking TLDs of states that trade with dictators and abusers of human rights? (e.g. .uk)?
No? Didn't think so.
Obvious PR stunt is obvious.
An obvious PR stunt perhaps, but that doesn't mean that it isn't useful to more than just mozilla.
If criminals want to use SSL they can generate their own, non-snoopable certs. "Lawful interception" with or without TeliaSonera won't get you the cleartext for that. Indeed, most corporates do that internally because they can't be bothered to pay for certs.
The interception comes in where people are accessing "public" infrastructure, such as gmail, banks etc and the government wants to do man-in-the-middle spoofing. The hardened criminal will so sensible things like deleting all root certs and making an exception for that service from a "safe" net connection. However, as a general "let's snoop on the populace" tactic, skeleton root keys come into their own.
The problem is that TS is setting itself up selling security systems to keep things secret. If it then goes around selling imitation vaults, it can hardly expect vault users not to kick up a fuss.
This post has been deleted by its author
The root program needs to be tightened up if this criteria is going to be considered. for a root CA key to be admitted to the browser stores they normally need to be audited to the Webtrust standard or similar. That is mostly technical and operational and doesn't go into the politics of an outfit.
Others have been guilty of issuing mitm certs recently and weren't removed, maybe its time to clear out the root CAs a little and add to the certification process.
Ok I can see the rights of this, but then you are also punishing innocent people (re: customers) for your own political views.
Where does it end?
Block all Saudi sites? Chinese? Indonesian (look up West Papua New Guinea abuses for that one)?
It's a dangerous game when politics enter when a company that heralds itself as a bastion of a free and open web starts playing politics.
Indeed. The US executes people as a punishment, most of the rest of the world doesn't, should they lose their certificates? The US has also been ........ well I'm sure you all know the long list of bad things they've been caught doing.
I'm fairly sure they've got access to decrypt SSL traffic too, using much the same mechanisms.
While I'm sure there are governments out there (North Korea, for example) who I think should be blocked like this we also need to make sure we don't start throwing stones in our glass houses.
You seem to be missing the whole point - this is not directed at any specific country or their companies, nor is it about companies that might also produce dubious spy products.
It is the concern that the SSL they want Mozilla to include will be used for spoofing sites, so it is a direct abuse of the certificate for evil, and not that evil acts are perpetrated by some other branch of the company.
This post has been deleted by its author
You can look at it that way, and wouldn't be entirely wrong. But you also have to look at the technical side. A Certificate Authority is only as good as their word. Giving their word is their only job in fact. They say "Yep this website is the real deal" or "This other guy can also be trusted to tell you whats legit". Now I haven't read any details about exactly what sort of surveillance tech they're accused of selling, but my suspicion is that it involved interception devices certified as a legitimate source for everything (i.e. *.com, *.org, *.uk, etc). If true, that would completely destroy they credibility as a Certificate Authority in my book.
And distrusting them in the future is really the only remedy for something like that. It's not the same as blocking certain domains because their governments are bad. In fact you'd still be able to go to sites they certify, you'd just have to click through some (admittedly very aggressive) warnings that Firefox doesn't consider the certificate trustworthy.
So Mozilla is going to cut off its users from some secure content because they don't like what some third party is doing?
How does this make them different from the dictators they're trying to strike against... It's still "do what I say or else".
By all means support and encourage methods to subvert totalitarian control, but the instant you block content is the instant you become just like them.
And the instant you accept coladeral damage to non involved people is the instant you need to be stopped.
The SSL CA model never worked - it was based on the idea that companies which made money from selling the most SSL CA would be in charge of policing that only legitimate customers bought them
It's as crazy as subcontracting out the maintenance of a railway to a company that made a bigger profit by doing less maintenance - nobody would be that stupid.
This post has been deleted by its author
People can select and even add self-made CAs in their browser. But most people do not understand SSL as we can clearly see from some of the comments here.
If a CA does something that breaks SSL i.e. issuing skeleton keys to governments which allow them to fake any website seamlessly does deserve to be removed from all browsers not just firefox. Because it does exactly the opposite of what it is suppose to be doing, trust is lost and the CA no longer as an 'A' just a 'C'.
It's just common sense not sure what some of you people are on about.
I've always been concerned about all CAs. Frankly the only person I really trust is myself but it's a shame browsers are so heavily prejudiced against self-signed certificates. And it's a total pain rolling out your own root CA in an environment with a mixture of devices and locations.
I've always thought that there must be a better way of verifying certificates by using DNS. Could you distribute a self-signed root cert or the serial in a DNS TXT record for that host? That way you could be confident that the cert belongs domain/subdomain owner (as confident as someone having access to an e-mail address at the domain which is what most CAs use for verification). This becomes even tighter with DNSSEC.
Anyway, I don't have the answers. But there has to be a better way than putting all your trust in a bunch of anonymous private CAs.
No good can come from this. By allocating resources to an investigation of what they consider crimes they are removing resources that could go into making a better product. Straying too far from your mission has killed off many companies & playing in global politics is about as off mission as Mozilla could possibly get.
This post has been deleted by its author
Articles like that should always provide step-by-step instructions about how to turn off the CA's certs. For example:
in Mac OSX Mountain Lion: Launchpad->Other->Keychain Access->Keychains->System Roots:
* Sonera Class1 CA -> Trust -> Never Trust
* Sonera Class2 CA -> Trust -> Never Trust
// Hope I've found all TeliaSonera's certs. Please note that it's called Sonera in OSX keychain, not TeliaSonera. And it's from Finland (didn't see this mentioned in the article too).
This post has been deleted by its author
So they are basically only selling backdoors in their security product to any government that requires it for " Legal law enforcement"?. Well thats reasuring then, considering its legal for el presedente to do what the fuck he likes because he makes the laws and decides whats legal in his nasty little dictatorship in the first place.
Mozilla are absolutely right in flagging this up, whats the point in having a security certificate that really doesnt secure anything?
Also, backdoors in security products, what could possibly go wrong?
If you are a certificate authority, you have *one job*, which is to ensure that certificates accurately match who owns them. If this company falsified a certificate, for anyone, then they have violated the trust which is their product, and have no right to be in business, or to be trusted by anyone.
They're also bound to obey the law. And when the two conflict, the law takes precedence. A sealed court order to deliver a signed certificate to the intelligence services for a certain domain, on penalty of punishment, unfortunately trumps the "don't falsify a certificate" job. Which is why browsers should give users a simple way of detrusting (or selectively trusting, perhaps based on allowing certain TLD's or country codes only) some of the lesser known CA's.
It isn't the particular country or what they did that is of issue. It is that Telia violated the trust of the certificate system, and as such they should not be allowed to be part of it.
Mozilla maintains a list of companies they trust to secure your network traffic. If Mozilla finds that one of these companies has a practice of issuing fraudulent (not for the actual party listed on the cert) certificates, then how on earth could Mozilla keep that company in their list of "trusted" certificate authorities?
With all due respect, Mozilla - to which I am, by the way, immensely grateful for a wonderful product and, not least, for busting Microsoft's web browser quasi-monopoly - can you provide an example of any other kinds of «regime», i e, government, than repressive ones ? Perhaps the above statement should be modified to «Trusted CAs must not supply surveillance equipment to governments, corporations, organisations, etc, etc» ?...
Henri
the fact is that whilst CA's are regional, national (or international) entities they have to comply with the laws of the territory they operate in. Therefore its the CA issuing system thats broken not anything else. Since this is at heart a technical flaw in the system and will remain so until such time as certs (or their future state equivalents) can be issued independently of any political or legal interference - Is this even at all possible?
Not wanting to defend Telia but they may have no choice but to facilitate MiTM monitoring if they operate in that country - and as noted - its not just authoritarian states that may wish to do this.
Im sure all of us can forsee a time when the "freedom loving democracies" have or propose laws which go something like this(if they dont already have them that is) :
1. Permit MitM attacks.
2. Dont talk about 1.
and not forgetting
3. the organization that plausibly organized the MiTM CA backdoors (cough..STC/ILETS cough) doesn't even exist! (according to the ancient leaked memo of one of their meetings )
although a Google search produces the following interesting history....
ECFS Filing: VeriSign Inc (04-295) - 11/04/2004 - FCC
ecfsdocs.fcc.gov › CGB - Traducir esta página
04/nov/2004 – 3.11 STC / ILETS
VeriSign links? must just be cross contamination of a Google search database, I dunno what it all means
Ah, the defective-by-design implementation of SSL certificates, where any trusted entity on the planey can issue a certificate for any site they like. Why the fuck should some entity in Azerbuckistan be able to sign a .com domain? It's about time browsers implemented some sanity checking on certificates, to at least let the user choose whether to accept a .com signed by some weird third world certification authority.
There is couple of ways to intercept GSM traffic. Easiest one is to hook to bade station (BS) and tap the calls from there. If you are a regime, that wants to do so, no-one can block you. 10 years ago the kit decrypting live calls in the area of GSM cell was around size of a briefcase, I have been told. That is a reason why privacy concerned goverments have upgraded reguirement of cryptographic capabilities of live networks to A5. Oddly enough there is even EU countries that - at least still few years ago - mandated GSM cipher to be maximum of A2 level (and it was well known that the briefcase size commercial deciphering kit had been around for years). WCDMA has made live network eavesdroping harder, but it still don't block eavesdroping in BS. And of course HLR will keep your call/data/messaging logs, so at least that will be availabe to the authorities of the operating country.
"Legitimate" interception (ie, with warrants, complying with local laws, etc etc) is as simple as showing up to the telco and switching on a feed from the switch for the numbers concerned. I've worked for telcos and gone though all this stuff in detail over the years.
The legal uses for which a "briefcase sized" snoop module can comfortably be numbred on one hand (the main one which springs to mind is to work out what phone number(s) someone under surveillance is carrying before putting an intercept out on it and doing that doesn't require decrypt capabilities). That's an espionage tool, not a legitimate one.
(Telcos can also provide all data/calls for a particular area or cell, on-demand when required, but good luck getting a warrant for that unless you're tracking Unabomber or simliar)
In any case, paranoia decrees that one assumes a network is vulnerable, crypted or not. Them what are doing "bad stuff" already work on that assumption and either keep things off-air or use at least another layer of crypto+misdirection on top. There hasn't yet been a decryption method developed which can defeat one time pads, as a for instance.
.deb packages The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
