Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-28 Thread Thomas Townsend 
Yaroslav

If there is no local chapter willing and able to take action, then
presumably it falls to WMF central to do so, as they have in the USA
and Turkey

The Turnip

On Tue, 23 Jul 2019 at 12:41, Yaroslav Blanter  wrote:
>
> I do not think Kazakhstan has a chapter. In the past, some Kazakh
> Wikimedians enjoyed close collaboration with the government (for example,
> the Kazakhstani Encyclopedia has been released under a free license and
> verbatim copied to the Kazakh Wikipedia, so that I do not expect much.
>
> Cheers
> Yaroslav
>
> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend 
> wrote:
>
> > Yury
> >
> > What is the position of the Kazakhstan chapter on this?
> >
> > The Turnip
> >
> > On Sun, 21 Jul 2019 at 11:36, Yury Bulka
> >  wrote:
> > >
> > > I'm sure many have heard about this:
> > >
> > https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> > >
> > > Essentially, the government in Kazakhstan started forcing citizens into
> > > installing a root TLS certificate on their devices that would allow the
> > > government to intercept, decrypt and manipulate all HTTPS traffic.
> > >
> > > Without the centificate, it seems, citizens can't access HTTPS pages (at
> > > least on some ISPs).
> > >
> > > I think this has serious implications for Wikipedia & Wikimedia, as not
> > > only they would be easily able to see which articles people read, but
> > > also steal login credentials, depseudonymize people and even hijack
> > > admin accounts.
> > >
> > > Another danger is that if this effort by Kazakhstan will succeed, other
> > > governments may start doing the same.
> > >
> > > I wonder if WMF has any position on this yet?
> > >
> > > Best,
> > > Yury.
> > >
> > > ___
> > > Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > > New messages to: Wikimedia-l@lists.wikimedia.org
> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > 
> >
> > ___
> > Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > New messages to: Wikimedia-l@lists.wikimedia.org
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > 
> ___
> Wikimedia-l mailing list, guidelines at: 
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
> 

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-28 Thread John Erling Blad 
Seems like something happen early Friday morning.[1]

[1] https://censoredplanet.org/kazakhstan/live

On Sun, Jul 28, 2019 at 2:43 PM John Erling Blad  wrote:

> You are right. “Firefox and Chrome disable pin validation for pinned hosts
> whose validated certificate chain terminates at a user-defined trust anchor
> (rather than a built-in trust anchor). This means that for users who
> imported custom root certificates all pinning violations are ignored.” [1]
>
> [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
>
> On Sun, Jul 28, 2019 at 2:07 PM Alex Monk  wrote:
>
>> Correct me if I'm wrong but I believe browsers always ignored HPKP rules
>> when presented with a cert signed by a CA that is locally installed rather
>> than default.
>>
>> On Sun, 28 Jul 2019, 12:58 John Erling Blad,  wrote:
>>
>> > The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but
>> > Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the
>> > MITM attack possible, by forcing the users to install the root
>> certificate,
>> > as many of the sites listed has been on the HPKP list. With HPKP in
>> place
>> > the scheme would be somewhat harder to implement.
>> >
>> > [1] https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
>> > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438
>> >
>> > On Fri, Jul 26, 2019 at 3:05 PM Yury Bulka <
>> > setthemf...@privacyrequired.com>
>> > wrote:
>> >
>> > > I don't see any position from Mozilla on this yet:
>> > > https://bugzilla.mozilla.org/show_bug.cgi?id=1567114
>> > >
>> > >
>> >
>> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhACo3E
>> > >
>> > > Couldn't find anything about Google Chrome.
>> > >
>> > > Meanwhile, I have emailed secur...@wikimedia.org with a link to this
>> > > discussion (hope it's not a terribly inappropriate thing to do).
>> > >
>> > > I'd be great to hear from WMF about their view on this.
>> > >
>> > > Best,
>> > > Yury.
>> > >
>> > > Yury Bulka  writes:
>> > >
>> > > > I'm not in Kazakhstan and am not in directly touch with any of
>> > > > wikimedians there, so I don't know their position.
>> > > >
>> > > > However, I'm not sure how much freedom they have in expressing their
>> > > > honest opinion about this publicly. Simply because it is always a
>> > > > pros-and-cons calculation to criticise your local goverment in such
>> > > > situations.
>> > > >
>> > > > Yaroslav Blanter  writes:
>> > > >
>> > > >> I do not think Kazakhstan has a chapter. In the past, some Kazakh
>> > > >> Wikimedians enjoyed close collaboration with the government (for
>> > > example,
>> > > >> the Kazakhstani Encyclopedia has been released under a free license
>> > and
>> > > >> verbatim copied to the Kazakh Wikipedia, so that I do not expect
>> much.
>> > > >>
>> > > >> Cheers
>> > > >> Yaroslav
>> > > >>
>> > > >> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend <
>> > homesec1...@gmail.com
>> > > >
>> > > >> wrote:
>> > > >>
>> > > >>> Yury
>> > > >>>
>> > > >>> What is the position of the Kazakhstan chapter on this?
>> > > >>>
>> > > >>> The Turnip
>> > > >>>
>> > > >>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka
>> > > >>>  wrote:
>> > > >>> >
>> > > >>> > I'm sure many have heard about this:
>> > > >>> >
>> > > >>>
>> > >
>> >
>> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
>> > > >>> >
>> > > >>> > Essentially, the government in Kazakhstan started forcing
>> citizens
>> > > into
>> > > >>> > installing a root TLS certificate on their devices that would
>> allow
>> > > the
>> > > >>> > government to intercept, decrypt and manipulate all HTTPS
>> traffic.
>> > > >>> >
>> > > >>> > Without the centificate, it seems, citizens can't access HTTPS
>> > pages
>> > > (at
>> > > >>> > least on some ISPs).
>> > > >>> >
>> > > >>> > I think this has serious implications for Wikipedia &
>> Wikimedia, as
>> > > not
>> > > >>> > only they would be easily able to see which articles people
>> read,
>> > but
>> > > >>> > also steal login credentials, depseudonymize people and even
>> hijack
>> > > >>> > admin accounts.
>> > > >>> >
>> > > >>> > Another danger is that if this effort by Kazakhstan will
>> succeed,
>> > > other
>> > > >>> > governments may start doing the same.
>> > > >>> >
>> > > >>> > I wonder if WMF has any position on this yet?
>> > > >>> >
>> > > >>> > Best,
>> > > >>> > Yury.
>> > > >>> >
>> > > >>> > ___
>> > > >>> > Wikimedia-l mailing list, guidelines at:
>> > > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> > > >>> https://meta.wikimedia.org/wiki/Wikimedia-l
>> > > >>> > New messages to: Wikimedia-l@lists.wikimedia.org
>> > > >>> > Unsubscribe:
>> > > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> > > >>> > ?subject=unsubscribe>
>> > > >>>
>> > > >>> ___
>> > > >>> Wikimedia-l mailing list,

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-28 Thread John Erling Blad 
You are right. “Firefox and Chrome disable pin validation for pinned hosts
whose validated certificate chain terminates at a user-defined trust anchor
(rather than a built-in trust anchor). This means that for users who
imported custom root certificates all pinning violations are ignored.” [1]

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning

On Sun, Jul 28, 2019 at 2:07 PM Alex Monk  wrote:

> Correct me if I'm wrong but I believe browsers always ignored HPKP rules
> when presented with a cert signed by a CA that is locally installed rather
> than default.
>
> On Sun, 28 Jul 2019, 12:58 John Erling Blad,  wrote:
>
> > The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but
> > Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the
> > MITM attack possible, by forcing the users to install the root
> certificate,
> > as many of the sites listed has been on the HPKP list. With HPKP in place
> > the scheme would be somewhat harder to implement.
> >
> > [1] https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
> > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438
> >
> > On Fri, Jul 26, 2019 at 3:05 PM Yury Bulka <
> > setthemf...@privacyrequired.com>
> > wrote:
> >
> > > I don't see any position from Mozilla on this yet:
> > > https://bugzilla.mozilla.org/show_bug.cgi?id=1567114
> > >
> > >
> >
> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhACo3E
> > >
> > > Couldn't find anything about Google Chrome.
> > >
> > > Meanwhile, I have emailed secur...@wikimedia.org with a link to this
> > > discussion (hope it's not a terribly inappropriate thing to do).
> > >
> > > I'd be great to hear from WMF about their view on this.
> > >
> > > Best,
> > > Yury.
> > >
> > > Yury Bulka  writes:
> > >
> > > > I'm not in Kazakhstan and am not in directly touch with any of
> > > > wikimedians there, so I don't know their position.
> > > >
> > > > However, I'm not sure how much freedom they have in expressing their
> > > > honest opinion about this publicly. Simply because it is always a
> > > > pros-and-cons calculation to criticise your local goverment in such
> > > > situations.
> > > >
> > > > Yaroslav Blanter  writes:
> > > >
> > > >> I do not think Kazakhstan has a chapter. In the past, some Kazakh
> > > >> Wikimedians enjoyed close collaboration with the government (for
> > > example,
> > > >> the Kazakhstani Encyclopedia has been released under a free license
> > and
> > > >> verbatim copied to the Kazakh Wikipedia, so that I do not expect
> much.
> > > >>
> > > >> Cheers
> > > >> Yaroslav
> > > >>
> > > >> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend <
> > homesec1...@gmail.com
> > > >
> > > >> wrote:
> > > >>
> > > >>> Yury
> > > >>>
> > > >>> What is the position of the Kazakhstan chapter on this?
> > > >>>
> > > >>> The Turnip
> > > >>>
> > > >>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka
> > > >>>  wrote:
> > > >>> >
> > > >>> > I'm sure many have heard about this:
> > > >>> >
> > > >>>
> > >
> >
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> > > >>> >
> > > >>> > Essentially, the government in Kazakhstan started forcing
> citizens
> > > into
> > > >>> > installing a root TLS certificate on their devices that would
> allow
> > > the
> > > >>> > government to intercept, decrypt and manipulate all HTTPS
> traffic.
> > > >>> >
> > > >>> > Without the centificate, it seems, citizens can't access HTTPS
> > pages
> > > (at
> > > >>> > least on some ISPs).
> > > >>> >
> > > >>> > I think this has serious implications for Wikipedia & Wikimedia,
> as
> > > not
> > > >>> > only they would be easily able to see which articles people read,
> > but
> > > >>> > also steal login credentials, depseudonymize people and even
> hijack
> > > >>> > admin accounts.
> > > >>> >
> > > >>> > Another danger is that if this effort by Kazakhstan will succeed,
> > > other
> > > >>> > governments may start doing the same.
> > > >>> >
> > > >>> > I wonder if WMF has any position on this yet?
> > > >>> >
> > > >>> > Best,
> > > >>> > Yury.
> > > >>> >
> > > >>> > ___
> > > >>> > Wikimedia-l mailing list, guidelines at:
> > > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > > >>> https://meta.wikimedia.org/wiki/Wikimedia-l
> > > >>> > New messages to: Wikimedia-l@lists.wikimedia.org
> > > >>> > Unsubscribe:
> > > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > > >>>  ?subject=unsubscribe>
> > > >>>
> > > >>> ___
> > > >>> Wikimedia-l mailing list, guidelines at:
> > > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > > >>> https://meta.wikimedia.org/wiki/Wikimedia-l
> > > >>> New messages to: Wikimedia-l@lists.wikimedia.org
> > > >>> Unsubscribe:
> > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > > >>>

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-28 Thread Chico Venancio 
FYI, it seems Wikimedia is not being intercepted at the moment.
https://censoredplanet.org/kazakhstan

Of course, that may change.

It may also be relevant that Wikimedia uses HSTS, and that will make it
difficult for users to access the sites with intercepted certificates if
they have accessed the sites previously.

Chico Venancio

Em dom, 28 de jul de 2019 08:58, John Erling Blad 
escreveu:

> The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but
> Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the
> MITM attack possible, by forcing the users to install the root certificate,
> as many of the sites listed has been on the HPKP list. With HPKP in place
> the scheme would be somewhat harder to implement.
>
> [1] https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438
>
> On Fri, Jul 26, 2019 at 3:05 PM Yury Bulka <
> setthemf...@privacyrequired.com>
> wrote:
>
> > I don't see any position from Mozilla on this yet:
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1567114
> >
> >
> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhACo3E
> >
> > Couldn't find anything about Google Chrome.
> >
> > Meanwhile, I have emailed secur...@wikimedia.org with a link to this
> > discussion (hope it's not a terribly inappropriate thing to do).
> >
> > I'd be great to hear from WMF about their view on this.
> >
> > Best,
> > Yury.
> >
> > Yury Bulka  writes:
> >
> > > I'm not in Kazakhstan and am not in directly touch with any of
> > > wikimedians there, so I don't know their position.
> > >
> > > However, I'm not sure how much freedom they have in expressing their
> > > honest opinion about this publicly. Simply because it is always a
> > > pros-and-cons calculation to criticise your local goverment in such
> > > situations.
> > >
> > > Yaroslav Blanter  writes:
> > >
> > >> I do not think Kazakhstan has a chapter. In the past, some Kazakh
> > >> Wikimedians enjoyed close collaboration with the government (for
> > example,
> > >> the Kazakhstani Encyclopedia has been released under a free license
> and
> > >> verbatim copied to the Kazakh Wikipedia, so that I do not expect much.
> > >>
> > >> Cheers
> > >> Yaroslav
> > >>
> > >> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend <
> homesec1...@gmail.com
> > >
> > >> wrote:
> > >>
> > >>> Yury
> > >>>
> > >>> What is the position of the Kazakhstan chapter on this?
> > >>>
> > >>> The Turnip
> > >>>
> > >>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka
> > >>>  wrote:
> > >>> >
> > >>> > I'm sure many have heard about this:
> > >>> >
> > >>>
> >
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> > >>> >
> > >>> > Essentially, the government in Kazakhstan started forcing citizens
> > into
> > >>> > installing a root TLS certificate on their devices that would allow
> > the
> > >>> > government to intercept, decrypt and manipulate all HTTPS traffic.
> > >>> >
> > >>> > Without the centificate, it seems, citizens can't access HTTPS
> pages
> > (at
> > >>> > least on some ISPs).
> > >>> >
> > >>> > I think this has serious implications for Wikipedia & Wikimedia, as
> > not
> > >>> > only they would be easily able to see which articles people read,
> but
> > >>> > also steal login credentials, depseudonymize people and even hijack
> > >>> > admin accounts.
> > >>> >
> > >>> > Another danger is that if this effort by Kazakhstan will succeed,
> > other
> > >>> > governments may start doing the same.
> > >>> >
> > >>> > I wonder if WMF has any position on this yet?
> > >>> >
> > >>> > Best,
> > >>> > Yury.
> > >>> >
> > >>> > ___
> > >>> > Wikimedia-l mailing list, guidelines at:
> > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > >>> https://meta.wikimedia.org/wiki/Wikimedia-l
> > >>> > New messages to: Wikimedia-l@lists.wikimedia.org
> > >>> > Unsubscribe:
> > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > >>> 
> > >>>
> > >>> ___
> > >>> Wikimedia-l mailing list, guidelines at:
> > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > >>> https://meta.wikimedia.org/wiki/Wikimedia-l
> > >>> New messages to: Wikimedia-l@lists.wikimedia.org
> > >>> Unsubscribe:
> https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > >>> 
> > >> ___
> > >> Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > >> New messages to: Wikimedia-l@lists.wikimedia.org
> > >> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> ,
> > 
> > >
> > >

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-28 Thread Alex Monk 
Correct me if I'm wrong but I believe browsers always ignored HPKP rules
when presented with a cert signed by a CA that is locally installed rather
than default.

On Sun, 28 Jul 2019, 12:58 John Erling Blad,  wrote:

> The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but
> Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the
> MITM attack possible, by forcing the users to install the root certificate,
> as many of the sites listed has been on the HPKP list. With HPKP in place
> the scheme would be somewhat harder to implement.
>
> [1] https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438
>
> On Fri, Jul 26, 2019 at 3:05 PM Yury Bulka <
> setthemf...@privacyrequired.com>
> wrote:
>
> > I don't see any position from Mozilla on this yet:
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1567114
> >
> >
> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhACo3E
> >
> > Couldn't find anything about Google Chrome.
> >
> > Meanwhile, I have emailed secur...@wikimedia.org with a link to this
> > discussion (hope it's not a terribly inappropriate thing to do).
> >
> > I'd be great to hear from WMF about their view on this.
> >
> > Best,
> > Yury.
> >
> > Yury Bulka  writes:
> >
> > > I'm not in Kazakhstan and am not in directly touch with any of
> > > wikimedians there, so I don't know their position.
> > >
> > > However, I'm not sure how much freedom they have in expressing their
> > > honest opinion about this publicly. Simply because it is always a
> > > pros-and-cons calculation to criticise your local goverment in such
> > > situations.
> > >
> > > Yaroslav Blanter  writes:
> > >
> > >> I do not think Kazakhstan has a chapter. In the past, some Kazakh
> > >> Wikimedians enjoyed close collaboration with the government (for
> > example,
> > >> the Kazakhstani Encyclopedia has been released under a free license
> and
> > >> verbatim copied to the Kazakh Wikipedia, so that I do not expect much.
> > >>
> > >> Cheers
> > >> Yaroslav
> > >>
> > >> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend <
> homesec1...@gmail.com
> > >
> > >> wrote:
> > >>
> > >>> Yury
> > >>>
> > >>> What is the position of the Kazakhstan chapter on this?
> > >>>
> > >>> The Turnip
> > >>>
> > >>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka
> > >>>  wrote:
> > >>> >
> > >>> > I'm sure many have heard about this:
> > >>> >
> > >>>
> >
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> > >>> >
> > >>> > Essentially, the government in Kazakhstan started forcing citizens
> > into
> > >>> > installing a root TLS certificate on their devices that would allow
> > the
> > >>> > government to intercept, decrypt and manipulate all HTTPS traffic.
> > >>> >
> > >>> > Without the centificate, it seems, citizens can't access HTTPS
> pages
> > (at
> > >>> > least on some ISPs).
> > >>> >
> > >>> > I think this has serious implications for Wikipedia & Wikimedia, as
> > not
> > >>> > only they would be easily able to see which articles people read,
> but
> > >>> > also steal login credentials, depseudonymize people and even hijack
> > >>> > admin accounts.
> > >>> >
> > >>> > Another danger is that if this effort by Kazakhstan will succeed,
> > other
> > >>> > governments may start doing the same.
> > >>> >
> > >>> > I wonder if WMF has any position on this yet?
> > >>> >
> > >>> > Best,
> > >>> > Yury.
> > >>> >
> > >>> > ___
> > >>> > Wikimedia-l mailing list, guidelines at:
> > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > >>> https://meta.wikimedia.org/wiki/Wikimedia-l
> > >>> > New messages to: Wikimedia-l@lists.wikimedia.org
> > >>> > Unsubscribe:
> > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > >>> 
> > >>>
> > >>> ___
> > >>> Wikimedia-l mailing list, guidelines at:
> > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > >>> https://meta.wikimedia.org/wiki/Wikimedia-l
> > >>> New messages to: Wikimedia-l@lists.wikimedia.org
> > >>> Unsubscribe:
> https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > >>> 
> > >> ___
> > >> Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > >> New messages to: Wikimedia-l@lists.wikimedia.org
> > >> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> ,
> > 
> > >
> > > ___
> > > Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> >

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-28 Thread John Erling Blad 
The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but
Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the
MITM attack possible, by forcing the users to install the root certificate,
as many of the sites listed has been on the HPKP list. With HPKP in place
the scheme would be somewhat harder to implement.

[1] https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438

On Fri, Jul 26, 2019 at 3:05 PM Yury Bulka 
wrote:

> I don't see any position from Mozilla on this yet:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1567114
>
> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhACo3E
>
> Couldn't find anything about Google Chrome.
>
> Meanwhile, I have emailed secur...@wikimedia.org with a link to this
> discussion (hope it's not a terribly inappropriate thing to do).
>
> I'd be great to hear from WMF about their view on this.
>
> Best,
> Yury.
>
> Yury Bulka  writes:
>
> > I'm not in Kazakhstan and am not in directly touch with any of
> > wikimedians there, so I don't know their position.
> >
> > However, I'm not sure how much freedom they have in expressing their
> > honest opinion about this publicly. Simply because it is always a
> > pros-and-cons calculation to criticise your local goverment in such
> > situations.
> >
> > Yaroslav Blanter  writes:
> >
> >> I do not think Kazakhstan has a chapter. In the past, some Kazakh
> >> Wikimedians enjoyed close collaboration with the government (for
> example,
> >> the Kazakhstani Encyclopedia has been released under a free license and
> >> verbatim copied to the Kazakh Wikipedia, so that I do not expect much.
> >>
> >> Cheers
> >> Yaroslav
> >>
> >> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend  >
> >> wrote:
> >>
> >>> Yury
> >>>
> >>> What is the position of the Kazakhstan chapter on this?
> >>>
> >>> The Turnip
> >>>
> >>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka
> >>>  wrote:
> >>> >
> >>> > I'm sure many have heard about this:
> >>> >
> >>>
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> >>> >
> >>> > Essentially, the government in Kazakhstan started forcing citizens
> into
> >>> > installing a root TLS certificate on their devices that would allow
> the
> >>> > government to intercept, decrypt and manipulate all HTTPS traffic.
> >>> >
> >>> > Without the centificate, it seems, citizens can't access HTTPS pages
> (at
> >>> > least on some ISPs).
> >>> >
> >>> > I think this has serious implications for Wikipedia & Wikimedia, as
> not
> >>> > only they would be easily able to see which articles people read, but
> >>> > also steal login credentials, depseudonymize people and even hijack
> >>> > admin accounts.
> >>> >
> >>> > Another danger is that if this effort by Kazakhstan will succeed,
> other
> >>> > governments may start doing the same.
> >>> >
> >>> > I wonder if WMF has any position on this yet?
> >>> >
> >>> > Best,
> >>> > Yury.
> >>> >
> >>> > ___
> >>> > Wikimedia-l mailing list, guidelines at:
> >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> >>> https://meta.wikimedia.org/wiki/Wikimedia-l
> >>> > New messages to: Wikimedia-l@lists.wikimedia.org
> >>> > Unsubscribe:
> https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> >>> 
> >>>
> >>> ___
> >>> Wikimedia-l mailing list, guidelines at:
> >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> >>> https://meta.wikimedia.org/wiki/Wikimedia-l
> >>> New messages to: Wikimedia-l@lists.wikimedia.org
> >>> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> >>> 
> >> ___
> >> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> >> New messages to: Wikimedia-l@lists.wikimedia.org
> >> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
> >
> > ___
> > Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> > New messages to: Wikimedia-l@lists.wikimedia.org
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
>
>
> ___
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: