Re: Nation State MITM CA's ?

(resending because the first attempt was not posted to the list) Mozilla has announced our response to the Kazakhstan MITM: https://blog.mozilla.org/blog/2019/08/21/mozilla-takes-action-to-protect-users-in-kazakhstan/ and

Re: Nation State MITM CA's ?

Mozilla has announced our response to the Kazakhstan MITM: https://blog.mozilla.org/blog/2019/08/21/mozilla-takes-action-to-protect-users-in-kazakhstan/ and https://blog.mozilla.org/security/2019/08/21/protecting-our-users-in-kazakhstan/ Note: we're in the process of adding the "Qaznet" root

Re: Nation State MITM CA's ?

News reports[1][2] are now showing that the certificate has been "cancelled". I do not have a way to verify that it has been revoked independently at this time. Sources: [1] https://tsarka.org/post/national-certificate-cancelled [2]

Re: Nation State MITM CA's ?

* whatever the legislation of a sovereign state it can hardly be a browser's remit to govern the state's citizen by hard coding a block, preventing those not participating in this panel discussion to install the certificate(s) if they would desire to do so (for whatever reason that may be and

Re: Nation State MITM CA's ?

четверг, 7 января 2016 г., 4:08:10 UTC+5 пользователь Paul Wouters написал: > As was in the news before, Kazakhstan has issued a national MITM > Certificate Agency. > > Is there a policy on what to do with these? While they are not trusted, > would it be useful to explicitely blacklist these, as

Re: Nation State MITM CA's ?

On Friday, July 19, 2019 at 10:53:16 AM UTC-5, Matthew Hardeman wrote: > While possible, that seems unlikely. Corporates are, in general, not > trying to hide when this is being done. > > In fact, there are lots of good legal liability reasons why they should > want their users to be constantly

Re: Nation State MITM CA's ?

This is not at all a safe assumption. If they care to know and have active MITM infrastructure in place, the last time I looked at the issue, identifying which browser was in use (and generally speaking which operating system or set of operating systems) was fairly trivial by fingerprinting the

Re: Nation State MITM CA's ?

The government sending out SMSes to tell users to install the certificate don't (until the certificate is installed) know what browser the user is using. So, in addition to blacklisting the certificate, have it pop up a big, horrible message "Your government wants to use this to spy on you. It

Re: Nation State MITM CA's ?

On Wednesday, January 6, 2016 at 5:08:10 PM UTC-6, Paul Wouters wrote: > As was in the news before, Kazakhstan has issued a national MITM > Certificate Agency. > > Is there a policy on what to do with these? While they are not trusted, > would it be useful to explicitely blacklist these, as to

Re: Nation State MITM CA's ?

On Tuesday, July 23, 2019 at 7:34:11 AM UTC+4, Matthew Hardeman wrote: > It is an interesting question. It essentially becomes a gamble on whether > they'll back down or just fork their own KazakhFox. But if they do push > this all the way with a national browser, then their people are even >

Re: Nation State MITM CA's ?

On Monday, July 22, 2019 at 11:34:11 PM UTC-4, Matthew Hardeman wrote: > It is an interesting question. It essentially becomes a gamble on whether > they'll back down or just fork their own KazakhFox. But if they do push > this all the way with a national browser, then their people are even >

Re: Nation State MITM CA's ?

On Mon, Jul 22, 2019 at 9:20 PM Corey Bonnell via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I think the optimal solution in terms of user security is to create a > blacklist of known MITM CA public keys and simply prevent the installation > of certificates containing

Re: Nation State MITM CA's ?

On Monday, July 22, 2019 at 7:08:19 PM UTC-4, qm3...@gmail.com wrote: > The real issue is that they can quickly block update servers + instruct the > population to disable updates. Which means that banners won't make it > through, and the population will stay on today's versions permanently.

Re: Nation State MITM CA's ?

On Thursday, July 18, 2019 at 3:42:00 PM UTC-4, Matthew Hardeman wrote: > Regarding indicators, I agree that it should be more apparent. Perhaps a > dedicated bar that occupies an entire edge-to-edge horizontal area. > > I would propose that it might have two distinct messages, as well: > > 1.

Re: Nation State MITM CA's ?

If Kazakhstan MITM certificates could be swiftly banned by all major browsers, it might roll back the requirement (just as it failed in 2016) by paralyzing work. It is also more likely to cause political action and people learning more about the impact of this "policy". Governments are very

Re: Nation State MITM CA's ?

Hello, i'm from Kazakhstan and asking you to ban this certificate. The only reason it's applied are political. The government will force everyone to apply it if it will not be banned. Right now in Kazakhstan thousands of people who a repressed for political views, even mothers are sitting in

Re: Nation State MITM CA's ?

On 21/07/2019 03:21, My1 wrote: Hello everyone, I am new here but also want to share my opinion about some posts here, I know it's a lot of text but I hope it's not too bad. Am Freitag, 19. Juli 2019 23:42:47 UTC+2 schrieb dav...@gmail.com: Wouldn't it be easier to just decree that HTTPS is

Re: Nation State MITM CA's ?

On 20/07/2019 09:31, simc...@gmail.com wrote: I think it must be quickly blacklisted by Google, Mozilla and Microsoft all together, because it is known as a state scale MITM affecting citizen "real" life. The purpose of https is being defeated and such companies who tried to improve network

Re: Nation State MITM CA's ?

Am Sonntag, 21. Juli 2019 03:31:03 UTC+2 schrieb sim...@gmail.com: > I think it must be quickly blacklisted by Google, Mozilla and Microsoft all > together, because it is known as a state scale MITM affecting citizen "real" > life. > > The purpose of https is being defeated and such companies

Re: Nation State MITM CA's ?

I think it must be quickly blacklisted by Google, Mozilla and Microsoft all together, because it is known as a state scale MITM affecting citizen "real" life. The purpose of https is being defeated and such companies who tried to improve network security for past decade have to react (yes,

Re: Nation State MITM CA's ?

It would allow people who are using VPNs and other alternative access strategies to realize that they forgot to turn it on/etc On Friday, July 19, 2019 at 11:26:43 AM UTC-4, muc...@wirade.ru wrote: > Well, then users will just get accustomed to seeing this indication on > corporate sites and

Re: Nation State MITM CA's ?

Hello everyone, I am new here but also want to share my opinion about some posts here, I know it's a lot of text but I hope it's not too bad. Am Freitag, 19. Juli 2019 23:42:47 UTC+2 schrieb dav...@gmail.com: > Wouldn't it be easier to just decree that HTTPS is illegal and block all > outbound

Re: Nation State MITM CA's ?

Wouldn't it be easier to just decree that HTTPS is illegal and block all outbound 443 (only plain-text readable comms are allowed)? Then you would not have the decrypt-encrypt/decrypt-encrypt slowdown from the MITM. If you don't want to make everyone install a certificate: Issue a

Re: Nation State MITM CA's ?

> As others (and I) have mentioned, MitM is also how many ordinary > antivirus programs protect users from attacks. The hard part is > how to distinguish between malicious and user-helping systems. Sure, but the question is whether MiTM have reasonable security use cases for ordinary users.

Re: Nation State MITM CA's ?

On 19/07/2019 21:13, andrey.at.as...@gmail.com wrote: I am confused. Since when Mozilla is under obligation to provide customized solutions for corporate MITM? IMHO, corporations, if needed, can hire someone else to develop their own forks of Chrome/Firefox to do snooping on HTTPS

Re: Nation State MITM CA's ?

On 19/07/2019 16:52, Troy Cauble wrote: On Thursday, July 18, 2019 at 8:26:43 PM UTC-4, wolfgan...@gmail.com wrote: Even on corporate hardware I would like at least a notification that this is happening. I like the consistency of a reminder in all cases, but this might lead to corporate

Re: Nation State MITM CA's ?

Dana petak, 19. srpnja 2019. u 21:25:05 UTC+2, korisnik saxp...@gmail.com napisao je: > I am no expert at these things, so please forgive me if these are elementary > or dumb questions. > > What is different about this certificate compared to the tools the KZ > government already uses to

Re: Nation State MITM CA's ?

I am no expert at these things, so please forgive me if these are elementary or dumb questions. What is different about this certificate compared to the tools the KZ government already uses to block individual websites and apps? Doesn’t the KZ government already have the ability to read

Re: Nation State MITM CA's ?

I am confused. Since when Mozilla is under obligation to provide customized solutions for corporate MITM? IMHO, corporations, if needed, can hire someone else to develop their own forks of Chrome/Firefox to do snooping on HTTPS connections. In regular browsers, developed by community effort

Re: Nation State MITM CA's ?

While possible, that seems unlikely. Corporates are, in general, not trying to hide when this is being done. In fact, there are lots of good legal liability reasons why they should want their users to be constantly reminded. On Fri, Jul 19, 2019 at 10:27 AM Troy Cauble via dev-security-policy <

Re: Nation State MITM CA's ?

On Thursday, July 18, 2019 at 8:26:43 PM UTC-4, wolfgan...@gmail.com wrote: > Even on corporate hardware I would like at least a notification that this is > happening. I like the consistency of a reminder in all cases, but this might lead to corporate policies to use other browsers.

Re: Nation State MITM CA's ?

W dniu czwartek, 7 stycznia 2016 00:08:10 UTC+1 użytkownik Paul Wouters napisał: > As was in the news before, Kazakhstan has issued a national MITM > Certificate Agency. > > Is there a policy on what to do with these? While they are not trusted, > would it be useful to explicitely blacklist

Re: Nation State MITM CA's ?

Well, then users will just get accustomed to seeing this indication on corporate sites and will ignore it. Regards, Mucius. On Friday, July 19, 2019 at 3:26:43 AM UTC+3, wolfgan...@gmail.com wrote: > I am not a Mozilla developer, nor have I ever been, but I am a user of what I > consider to

Re: Nation State MITM CA's ?

Appeal to the Mozilla Firefox developers Hello to all! I'm Software Engineer and citizen of Kazakhstan. This certificate is not implemented to protect users, but for political reasons. Kazakhstan has a dictatorship. This is done specifically to block "politically incorrect content.". Look

Re: Nation State MITM CA's ?

On Thursday, July 18, 2019 at 2:39:51 PM UTC-4, Matthew Hardeman wrote: > Isn't the logical outcome that the nation-state forks one of the > open-source browser projects, patches in their MiTM certificate, and > un-does the blacklisting? I think that's exactly what would happen. The > trouble

Re: Nation State MITM CA's ?

I am not a Mozilla developer, nor have I ever been, but I am a user of what I consider to still be the free Internet. I have been in scenarios with silent MITM attacks, primarily corporate environments as has been mentioned on this thread, and I would _greatly_ appreciate visual indication that

Re: Nation State MITM CA's ?

While this is a technical discussion, it's important to note that a decision made here *will* have consequences on real people, which adds an essential moral component. Kazakhstan is a nation state known for its poor human rights record. Journalists critical of the government have been

Re: Nation State MITM CA's ?

On Thursday, July 18, 2019 at 12:42:00 PM UTC-7, Matthew Hardeman wrote: > Regarding indicators, I agree that it should be more apparent. Perhaps a > dedicated bar that occupies an entire edge-to-edge horizontal area. > > I would propose that it might have two distinct messages, as well: > > 1.

Re: Nation State MITM CA's ?

Regarding indicators, I agree that it should be more apparent. Perhaps a dedicated bar that occupies an entire edge-to-edge horizontal area. I would propose that it might have two distinct messages, as well: 1. A message that an explicitly known MiTM certificate exists in the certificate chain

Re: Nation State MITM CA's ?

I agree a persistent indicator is a good idea. From what I understand Firefox does already have an indicator hidden in the site information box that appears when you click the lock icon in the address bar ( https://bugzilla.mozilla.org/show_bug.cgi?id=1549605 ). This should be more visible in

Re: Nation State MITM CA's ?

If the government of Kazakhstan requires interception of TLS as a condition of access, the real question being asked is whether or not Mozilla products will tolerate being used in these circumstances. Your options are to block the certificate, in which case Mozilla products simply become unusable

Re: Nation State MITM CA's ?

On Thu, Jul 18, 2019 at 10:00 AM Ryan Sleevi wrote: > > On Thu, Jul 18, 2019 at 12:50 PM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> Finally, I'll point out that Firefox implements public key pinning via a >> preloaded list of sites, so the

Re: Nation State MITM CA's ?

For everyone's reference, here is a link to the old thread: https://groups.google.com/d/msg/mozilla.dev.security.policy/wnuKAhACo3E/ujxPTWTlCQAJ To be clear, the Kazakhstan government CA's root inclusion request referenced in that thread was denied:

Re: Nation State MITM CA's ?

Sorry for bumping this old thread, but the Government of Kazakhstan has already started to use the certificate for MITM. Some information in news (on Russian): https://tengrinews.kz/internet/spetsialnyiy-sertifikat-poprosili-ustanovit-smartfonyi-374216/

Re: Nation State MITM CA's ?

On 1/7/16 12:29 PM, Kathleen Wilson wrote: Until such time that the provide this, I don't see how they are any different from the thousands of private PKIs that are run by companies for their own use. Many of those PKIs may be used to MITM connections. OK. I suppose that means I should go

RE: [FORGED] Re: [FORGED] Re: Nation State MITM CA's ?

On Tue, 12 Jan 2016, Peter Gutmann wrote: Or we ensure that firefox and chrome refuses to see those sites at all, because they refuse a downgrade attack. So users will switch to whatever browser doesn't block it, because given the choice between connecting to Facebook insecurely or not

Re: [FORGED] Re: [FORGED] Re: Nation State MITM CA's ?

It really isn't a good idea for Mozilla to try to mitigate the security concerns of people living in a police state. The cost of doing so is you will set precedents that others demand be respected. Yes providing crypto with a hole in it will be better than no crypto at all for the people who

Re: [FORGED] Re: [FORGED] Re: Nation State MITM CA's ?

The Mozilla Trusted Root program can and should police violations of the Mozilla Trusted Root program, and any other fraudulent *publicly trusted* certificates. That's non-controversial. Policing violations of more general social norms -- by choosing to actively distrust non-publicly-trusted

Re: [FORGED] Re: [FORGED] Re: Nation State MITM CA's ?

On Tue, Jan 12, 2016 at 11:46 AM, Jakob Bohm wrote: > On 12/01/2016 16:49, Phillip Hallam-Baker wrote: >> >> It really isn't a good idea for Mozilla to try to mitigate the >> security concerns of people living in a police state. The cost of >> doing so is you will set

RE: [FORGED] Re: [FORGED] Re: Nation State MITM CA's ?

Paul Wouters writes: >> If you disallow the cert and turn off encryption, Borat can still read >> everyone's traffic, but so can everyone else on the planet. > >Who said "turn off encryption"? If you don't allow the MITM cert, which is needed to enable encryption in the

Re: [FORGED] Re: Nation State MITM CA's ?

On Mon, 2016-01-11 at 19:45 +0100, Jakob Bohm wrote: > He is obviously referring to the fact that refusing to encrypt using > the MiTM certificate would force users to access their e-mails (etc.) > using unencrypted connections (plain HTTP, plain IMAP, plain POP3 > etc.), thus exposing themselves

Re: Nation State MITM CA's ?

On Saturday, January 9, 2016 at 11:24:31 AM UTC-5, cub...@gmail.com wrote: > On Thursday, January 7, 2016 at 12:08:10 AM UTC+1, Paul Wouters wrote: > > As was in the news before, Kazakhstan has issued a national MITM > > Certificate Agency. > > > > Is there a policy on what to do with these?

Re: [FORGED] Re: Nation State MITM CA's ?

On Mon, Jan 11, 2016 at 1:45 PM, Jakob Bohm wrote: > On 09/01/2016 19:22, Kai Engert wrote: >> >> On Sat, 2016-01-09 at 14:11 +, Peter Gutmann wrote: >>> >>> That would have some pretty bad consequences. With the MITM CA cert >>> enabled, >>> Borat [0] can read every

Re: [FORGED] Re: Nation State MITM CA's ?

On 09/01/2016 19:22, Kai Engert wrote: On Sat, 2016-01-09 at 14:11 +, Peter Gutmann wrote: That would have some pretty bad consequences. With the MITM CA cert enabled, Borat [0] can read every Kazakh user's email, but no-one else can. With the MITM CA blacklisted, Borat can still read

Re: Nation State MITM CA's ?

On 08/01/2016 23:31, Florian Weimer wrote: * Jakob Bohm: Could they, hypothetically, simply claim to use the real certificate on the connection from their MiTM machines to the real server to do practical control validation? They would have to claim, also, that they are holding the private key

RE: [FORGED] Re: Nation State MITM CA's ?

Kai Engert writes: >Independently of the request for inclusion, this group could discuss if the >Kazakhstan's CAs should be blacklisted, by adding them to the Mozilla CA list >using negative distrust flags That would have some pretty bad consequences. With the MITM CA cert

Re: [FORGED] Re: Nation State MITM CA's ?

On Sat, 2016-01-09 at 14:11 +, Peter Gutmann wrote: > That would have some pretty bad consequences.  With the MITM CA cert enabled, > Borat [0] can read every Kazakh user's email, but no-one else can.  With the > MITM CA blacklisted, Borat can still read every Kazakh user's email, but so > can

Re: Nation State MITM CA's ?

On Thursday, January 7, 2016 at 12:08:10 AM UTC+1, Paul Wouters wrote: > As was in the news before, Kazakhstan has issued a national MITM > Certificate Agency. > > Is there a policy on what to do with these? While they are not trusted, > would it be useful to explicitely blacklist these, as to

Re: Nation State MITM CA's ?

On Thu, Jan 7, 2016 at 2:00 PM, Kathleen Wilson wrote: > On 1/6/16 3:07 PM, Paul Wouters wrote: >> >> >> As was in the news before, Kazakhstan has issued a national MITM >> Certificate Agency. >> >> Is there a policy on what to do with these? While they are not trusted, >>

Re: Nation State MITM CA's ?

I think several separate points need to be discussed. (a) Inclusion as trustworthy for the global Internet You might have seen this article, which, to my surprise, can no longer be found on the site itself, so here is an archived copy:

Re: Nation State MITM CA's ?

* Jakob Bohm: > Could they, hypothetically, simply claim to use the real certificate on > the connection from their MiTM machines to the real server to do > practical control validation? They would have to claim, also, that > they are holding the private key of the MiTM certificate "in trust" on

Re: Nation State MITM CA's ?

On Thu, Jan 7, 2016 at 2:34 PM, David E. Ross wrote: > On 1/7/2016 12:29 PM, Kathleen Wilson wrote: >> On 1/7/16 11:15 AM, Peter Bowen wrote: >>> >>> >>> Until such time that the provide this, I don't see how they are any >>> different from the thousands of private PKIs

Re: Nation State MITM CA's ?

On 1/7/16 11:15 AM, Peter Bowen wrote: Until such time that the provide this, I don't see how they are any different from the thousands of private PKIs that are run by companies for their own use. Many of those PKIs may be used to MITM connections. OK. I suppose that means I should go ahead

Re: Nation State MITM CA's ?

On 07/01/2016 00:07, Paul Wouters wrote: As was in the news before, Kazakhstan has issued a national MITM Certificate Agency. Is there a policy on what to do with these? While they are not trusted, would it be useful to explicitely blacklist these, as to make it impossible to trust even if the

Re: Nation State MITM CA's ?

On Thu, 7 Jan 2016, Jakob Bohm wrote: It would appear from this information, that this CA (and probably others like it) is deliberately serving a dual role: 1. It is the legitimate trust anchor for some domains that browser users will need to access (in this case: Kazakh government sites