(resending because the first attempt was not posted to the list)
Mozilla has announced our response to the Kazakhstan MITM:
https://blog.mozilla.org/blog/2019/08/21/mozilla-takes-action-to-protect-users-in-kazakhstan/
and
https://blog.mozilla.org/security/2019/08/21/protecting-our-users-in-kazakhs
Mozilla has announced our response to the Kazakhstan MITM:
https://blog.mozilla.org/blog/2019/08/21/mozilla-takes-action-to-protect-users-in-kazakhstan/
and
https://blog.mozilla.org/security/2019/08/21/protecting-our-users-in-kazakhstan/
Note: we're in the process of adding the "Qaznet" root certi
News reports[1][2] are now showing that the certificate has been "cancelled". I
do not have a way to verify that it has been revoked independently at this time.
Sources:
[1] https://tsarka.org/post/national-certificate-cancelled
[2]
https://www.reuters.com/article/us-kazakhstan-internet-surveill
* whatever the legislation of a sovereign state it can hardly be a browser's
remit to govern the state's citizen by hard coding a block, preventing those
not participating in this panel discussion to install the certificate(s) if
they would desire to do so (for whatever reason that may be and th
четверг, 7 января 2016 г., 4:08:10 UTC+5 пользователь Paul Wouters написал:
> As was in the news before, Kazakhstan has issued a national MITM
> Certificate Agency.
>
> Is there a policy on what to do with these? While they are not trusted,
> would it be useful to explicitely blacklist these, as t
On Friday, July 19, 2019 at 10:53:16 AM UTC-5, Matthew Hardeman wrote:
> While possible, that seems unlikely. Corporates are, in general, not
> trying to hide when this is being done.
>
> In fact, there are lots of good legal liability reasons why they should
> want their users to be constantly r
This is not at all a safe assumption. If they care to know and have active
MITM infrastructure in place, the last time I looked at the issue,
identifying which browser was in use (and generally speaking which
operating system or set of operating systems) was fairly trivial by
fingerprinting the ch
The government sending out SMSes to tell users to install the certificate don't
(until the certificate is installed) know what browser the user is using.
So, in addition to blacklisting the certificate, have it pop up a big, horrible
message "Your government wants to use this to spy on you. It d
On Wednesday, January 6, 2016 at 5:08:10 PM UTC-6, Paul Wouters wrote:
> As was in the news before, Kazakhstan has issued a national MITM
> Certificate Agency.
>
> Is there a policy on what to do with these? While they are not trusted,
> would it be useful to explicitely blacklist these, as to mak
On Tuesday, July 23, 2019 at 7:34:11 AM UTC+4, Matthew Hardeman wrote:
> It is an interesting question. It essentially becomes a gamble on whether
> they'll back down or just fork their own KazakhFox. But if they do push
> this all the way with a national browser, then their people are even
> fu
On Monday, July 22, 2019 at 11:34:11 PM UTC-4, Matthew Hardeman wrote:
> It is an interesting question. It essentially becomes a gamble on whether
> they'll back down or just fork their own KazakhFox. But if they do push
> this all the way with a national browser, then their people are even
> fur
On Mon, Jul 22, 2019 at 9:20 PM Corey Bonnell via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> I think the optimal solution in terms of user security is to create a
> blacklist of known MITM CA public keys and simply prevent the installation
> of certificates containing
在 2016年1月7日星期四 UTC+8上午7:08:10,Paul Wouters写道:
> As was in the news before, Kazakhstan has issued a national MITM
> Certificate Agency.
>
> Is there a policy on what to do with these? While they are not trusted,
> would it be useful to explicitely blacklist these, as to make it
> impossible to trus
On Monday, July 22, 2019 at 7:08:19 PM UTC-4, qm3...@gmail.com wrote:
> The real issue is that they can quickly block update servers + instruct the
> population to disable updates. Which means that banners won't make it
> through, and the population will stay on today's versions permanently.
Hel
On Thursday, July 18, 2019 at 3:42:00 PM UTC-4, Matthew Hardeman wrote:
> Regarding indicators, I agree that it should be more apparent. Perhaps a
> dedicated bar that occupies an entire edge-to-edge horizontal area.
>
> I would propose that it might have two distinct messages, as well:
>
> 1.
If Kazakhstan MITM certificates could be swiftly banned by all major browsers,
it might roll back the requirement (just as it failed in 2016) by paralyzing
work.
It is also more likely to cause political action and people learning more about
the impact of this "policy".
Governments are very slo
Hello, i'm from Kazakhstan and asking you to ban this certificate. The only
reason it's applied are political. The government will force everyone to apply
it if it will not be banned. Right now in Kazakhstan thousands of people who a
repressed for political views, even mothers are sitting in pri
On 21/07/2019 03:21, My1 wrote:
Hello everyone,
I am new here but also want to share my opinion about some posts here, I know
it's a lot of text but I hope it's not too bad.
Am Freitag, 19. Juli 2019 23:42:47 UTC+2 schrieb dav...@gmail.com:
Wouldn't it be easier to just decree that HTTPS is i
On 20/07/2019 09:31, simc...@gmail.com wrote:
I think it must be quickly blacklisted by Google, Mozilla and Microsoft all together,
because it is known as a state scale MITM affecting citizen "real" life.
The purpose of https is being defeated and such companies who tried to improve
network se
Am Sonntag, 21. Juli 2019 03:31:03 UTC+2 schrieb sim...@gmail.com:
> I think it must be quickly blacklisted by Google, Mozilla and Microsoft all
> together, because it is known as a state scale MITM affecting citizen "real"
> life.
>
> The purpose of https is being defeated and such companies wh
I think it must be quickly blacklisted by Google, Mozilla and Microsoft all
together, because it is known as a state scale MITM affecting citizen "real"
life.
The purpose of https is being defeated and such companies who tried to improve
network security for past decade have to react (yes, secu
It would allow people who are using VPNs and other alternative access
strategies to realize that they forgot to turn it on/etc
On Friday, July 19, 2019 at 11:26:43 AM UTC-4, muc...@wirade.ru wrote:
> Well, then users will just get accustomed to seeing this indication on
> corporate sites and wil
Hello everyone,
I am new here but also want to share my opinion about some posts here, I know
it's a lot of text but I hope it's not too bad.
Am Freitag, 19. Juli 2019 23:42:47 UTC+2 schrieb dav...@gmail.com:
> Wouldn't it be easier to just decree that HTTPS is illegal and block all
> outbound
Wouldn't it be easier to just decree that HTTPS is illegal and block all
outbound 443 (only plain-text readable comms are allowed)? Then you would not
have the decrypt-encrypt/decrypt-encrypt slowdown from the MITM.
If you don't want to make everyone install a certificate:
Issue a double-wildca
> As others (and I) have mentioned, MitM is also how many ordinary
> antivirus programs protect users from attacks. The hard part is
> how to distinguish between malicious and user-helping systems.
Sure, but the question is whether MiTM have reasonable security use cases for
ordinary users. If
On 19/07/2019 21:13, andrey.at.as...@gmail.com wrote:
I am confused. Since when Mozilla is under obligation to provide customized
solutions for corporate MITM? IMHO, corporations, if needed, can hire someone
else to develop their own forks of Chrome/Firefox to do snooping on HTTPS
connections.
On 19/07/2019 16:52, Troy Cauble wrote:
On Thursday, July 18, 2019 at 8:26:43 PM UTC-4, wolfgan...@gmail.com wrote:
Even on corporate hardware I would like at least a notification that this is
happening.
I like the consistency of a reminder in all cases, but this
might lead to corporate poli
Dana petak, 19. srpnja 2019. u 21:25:05 UTC+2, korisnik saxp...@gmail.com
napisao je:
> I am no expert at these things, so please forgive me if these are elementary
> or dumb questions.
>
> What is different about this certificate compared to the tools the KZ
> government already uses to block
I am no expert at these things, so please forgive me if these are elementary or
dumb questions.
What is different about this certificate compared to the tools the KZ
government already uses to block individual websites and apps?
Doesn’t the KZ government already have the ability to read almost
I am confused. Since when Mozilla is under obligation to provide customized
solutions for corporate MITM? IMHO, corporations, if needed, can hire someone
else to develop their own forks of Chrome/Firefox to do snooping on HTTPS
connections.
In regular browsers, developed by community effort and
While possible, that seems unlikely. Corporates are, in general, not
trying to hide when this is being done.
In fact, there are lots of good legal liability reasons why they should
want their users to be constantly reminded.
On Fri, Jul 19, 2019 at 10:27 AM Troy Cauble via dev-security-policy <
On Thursday, July 18, 2019 at 8:26:43 PM UTC-4, wolfgan...@gmail.com wrote:
> Even on corporate hardware I would like at least a notification that this is
> happening.
I like the consistency of a reminder in all cases, but this
might lead to corporate policies to use other browsers.
W dniu czwartek, 7 stycznia 2016 00:08:10 UTC+1 użytkownik Paul Wouters napisał:
> As was in the news before, Kazakhstan has issued a national MITM
> Certificate Agency.
>
> Is there a policy on what to do with these? While they are not trusted,
> would it be useful to explicitely blacklist these,
Well, then users will just get accustomed to seeing this indication on
corporate sites and will ignore it.
Regards,
Mucius.
On Friday, July 19, 2019 at 3:26:43 AM UTC+3, wolfgan...@gmail.com wrote:
> I am not a Mozilla developer, nor have I ever been, but I am a user of what I
> consider to sti
Appeal to the Mozilla Firefox developers
Hello to all!
I'm Software Engineer and citizen of Kazakhstan. This certificate is not
implemented to protect users, but for political reasons. Kazakhstan has a
dictatorship. This is done specifically to block "politically incorrect
content.".
Look this
On Thursday, July 18, 2019 at 2:39:51 PM UTC-4, Matthew Hardeman wrote:
> Isn't the logical outcome that the nation-state forks one of the
> open-source browser projects, patches in their MiTM certificate, and
> un-does the blacklisting? I think that's exactly what would happen. The
> trouble is
I am not a Mozilla developer, nor have I ever been, but I am a user of what I
consider to still be the free Internet.
I have been in scenarios with silent MITM attacks, primarily corporate
environments as has been mentioned on this thread, and I would _greatly_
appreciate visual indication that my
While this is a technical discussion, it's important to note that a decision
made here *will* have consequences on real people, which adds an essential
moral component.
Kazakhstan is a nation state known for its poor human rights record.
Journalists critical of the government have been prosecut
On Thursday, July 18, 2019 at 12:42:00 PM UTC-7, Matthew Hardeman wrote:
> Regarding indicators, I agree that it should be more apparent. Perhaps a
> dedicated bar that occupies an entire edge-to-edge horizontal area.
>
> I would propose that it might have two distinct messages, as well:
>
> 1.
Regarding indicators, I agree that it should be more apparent. Perhaps a
dedicated bar that occupies an entire edge-to-edge horizontal area.
I would propose that it might have two distinct messages, as well:
1. A message that an explicitly known MiTM certificate exists in the
certificate chain
I agree a persistent indicator is a good idea. From what I understand Firefox
does already have an indicator hidden in the site information box that appears
when you click the lock icon in the address bar (
https://bugzilla.mozilla.org/show_bug.cgi?id=1549605 ). This should be more
visible in m
If the government of Kazakhstan requires interception of TLS as a condition
of access, the real question being asked is whether or not Mozilla products
will tolerate being used in these circumstances.
Your options are to block the certificate, in which case Mozilla products
simply become unusable
On Thu, Jul 18, 2019 at 10:00 AM Ryan Sleevi wrote:
>
> On Thu, Jul 18, 2019 at 12:50 PM Wayne Thayer via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> Finally, I'll point out that Firefox implements public key pinning via a
>> preloaded list of sites, so the reported
For everyone's reference, here is a link to the old thread:
https://groups.google.com/d/msg/mozilla.dev.security.policy/wnuKAhACo3E/ujxPTWTlCQAJ
To be clear, the Kazakhstan government CA's root inclusion request
referenced in that thread was denied:
https://bugzilla.mozilla.org/show_bug.cgi?id=123
Sorry for bumping this old thread, but the Government of Kazakhstan has already
started to use the certificate for MITM. Some information in news (on Russian):
https://tengrinews.kz/internet/spetsialnyiy-sertifikat-poprosili-ustanovit-smartfonyi-374216/
https://tengrinews.kz/internet/problemyi-dos
On 1/7/16 12:29 PM, Kathleen Wilson wrote:
Until such time that the provide this, I don't see how they are any
different from the thousands of private PKIs that are run by companies
for their own use. Many of those PKIs may be used to MITM
connections.
OK. I suppose that means I should go ahea
The Mozilla Trusted Root program can and should police violations of the
Mozilla Trusted Root program, and any other fraudulent *publicly trusted*
certificates. That's non-controversial.
Policing violations of more general social norms -- by choosing to actively
distrust non-publicly-trusted certi
On Tue, Jan 12, 2016 at 11:46 AM, Jakob Bohm wrote:
> On 12/01/2016 16:49, Phillip Hallam-Baker wrote:
>>
>> It really isn't a good idea for Mozilla to try to mitigate the
>> security concerns of people living in a police state. The cost of
>> doing so is you will set precedents that others demand
On 12/01/2016 16:49, Phillip Hallam-Baker wrote:
It really isn't a good idea for Mozilla to try to mitigate the
security concerns of people living in a police state. The cost of
doing so is you will set precedents that others demand be respected.
Yes providing crypto with a hole in it will be be
It really isn't a good idea for Mozilla to try to mitigate the
security concerns of people living in a police state. The cost of
doing so is you will set precedents that others demand be respected.
Yes providing crypto with a hole in it will be better than no crypto
at all for the people who don't
On Tue, Jan 12, 2016 at 1:48 AM, Peter Gutmann
wrote:
> Paul Wouters writes:
>
> >Or we ensure that firefox and chrome refuses to see those sites at all,
> >because they refuse a downgrade attack.
>
> So users will switch to whatever browser doesn't block it, because given
> the
> choice between
On Tue, 12 Jan 2016, Peter Gutmann wrote:
Or we ensure that firefox and chrome refuses to see those sites at all,
because they refuse a downgrade attack.
So users will switch to whatever browser doesn't block it, because given the
choice between connecting to Facebook insecurely or not connect
Paul Wouters writes:
>Or we ensure that firefox and chrome refuses to see those sites at all,
>because they refuse a downgrade attack.
So users will switch to whatever browser doesn't block it, because given the
choice between connecting to Facebook insecurely or not connecting at all,
about, oh
On Mon, 11 Jan 2016, Peter Gutmann wrote:
Paul Wouters writes:
If you disallow the cert and turn off encryption, Borat can still read
everyone's traffic, but so can everyone else on the planet.
Who said "turn off encryption"?
If you don't allow the MITM cert, which is needed to enable enc
Paul Wouters writes:
>> If you disallow the cert and turn off encryption, Borat can still read
>> everyone's traffic, but so can everyone else on the planet.
>
>Who said "turn off encryption"?
If you don't allow the MITM cert, which is needed to enable encryption in the
browser, you don't get an
On Mon, 11 Jan 2016, Peter Gutmann wrote:
That would have some pretty bad consequences. With the MITM CA cert enabled,
Borat [0] can read every Kazakh user's email, but no-one else can. With the
MITM CA blacklisted, Borat can still read every Kazakh user's email, but so
can everyone else on th
Kai Engert writes:
>On Sat, 2016-01-09 at 14:11 +, Peter Gutmann wrote:
>> That would have some pretty bad consequences. With the MITM CA cert enabled,
>> Borat [0] can read every Kazakh user's email, but no-one else can. With the
>> MITM CA blacklisted, Borat can still read every Kazakh us
On Mon, 2016-01-11 at 19:45 +0100, Jakob Bohm wrote:
> He is obviously referring to the fact that refusing to encrypt using
> the MiTM certificate would force users to access their e-mails (etc.)
> using unencrypted connections (plain HTTP, plain IMAP, plain POP3
> etc.), thus exposing themselves t
On 08/01/2016 23:31, Florian Weimer wrote:
* Jakob Bohm:
Could they, hypothetically, simply claim to use the real certificate on
the connection from their MiTM machines to the real server to do
practical control validation? They would have to claim, also, that
they are holding the private key
On Mon, Jan 11, 2016 at 1:45 PM, Jakob Bohm wrote:
> On 09/01/2016 19:22, Kai Engert wrote:
>>
>> On Sat, 2016-01-09 at 14:11 +, Peter Gutmann wrote:
>>>
>>> That would have some pretty bad consequences. With the MITM CA cert
>>> enabled,
>>> Borat [0] can read every Kazakh user's email, but
On 09/01/2016 19:22, Kai Engert wrote:
On Sat, 2016-01-09 at 14:11 +, Peter Gutmann wrote:
That would have some pretty bad consequences. With the MITM CA cert enabled,
Borat [0] can read every Kazakh user's email, but no-one else can. With the
MITM CA blacklisted, Borat can still read ever
On Saturday, January 9, 2016 at 11:24:31 AM UTC-5, cub...@gmail.com wrote:
> On Thursday, January 7, 2016 at 12:08:10 AM UTC+1, Paul Wouters wrote:
> > As was in the news before, Kazakhstan has issued a national MITM
> > Certificate Agency.
> >
> > Is there a policy on what to do with these? While
On Sat, 2016-01-09 at 14:11 +, Peter Gutmann wrote:
> That would have some pretty bad consequences. With the MITM CA cert enabled,
> Borat [0] can read every Kazakh user's email, but no-one else can. With the
> MITM CA blacklisted, Borat can still read every Kazakh user's email, but so
> can
On Thursday, January 7, 2016 at 12:08:10 AM UTC+1, Paul Wouters wrote:
> As was in the news before, Kazakhstan has issued a national MITM
> Certificate Agency.
>
> Is there a policy on what to do with these? While they are not trusted,
> would it be useful to explicitely blacklist these, as to mak
Kai Engert writes:
>Independently of the request for inclusion, this group could discuss if the
>Kazakhstan's CAs should be blacklisted, by adding them to the Mozilla CA list
>using negative distrust flags
That would have some pretty bad consequences. With the MITM CA cert enabled,
Borat [0] ca
Correct me if I'm wrong, but I think Mozilla has only actively distrusted
"publicly trusted" certificates -- certificates that could be used to
intercept traffic from a device with an unmodified root store.
So that includes whenever a publicly trusted CA improperly issues
certificates, which can a
* Jakob Bohm:
> Could they, hypothetically, simply claim to use the real certificate on
> the connection from their MiTM machines to the real server to do
> practical control validation? They would have to claim, also, that
> they are holding the private key of the MiTM certificate "in trust" on
I think several separate points need to be discussed.
(a) Inclusion as trustworthy for the global Internet
You might have seen this article, which, to my surprise, can no longer be found
on the site itself, so here is an archived copy:
https://web.archive.org/web/20151202203337/http://telecom.kz/e
On Thu, Jan 7, 2016 at 2:00 PM, Kathleen Wilson wrote:
> On 1/6/16 3:07 PM, Paul Wouters wrote:
>>
>>
>> As was in the news before, Kazakhstan has issued a national MITM
>> Certificate Agency.
>>
>> Is there a policy on what to do with these? While they are not trusted,
>> would it be useful to ex
On 07/01/16 19:15, Peter Bowen wrote:
> The information in the bug is incomplete by Mozilla's policy. They
> indicate that they plan to get a WebTrust audit but have not done so
> at this time. They should be informed that they need both a WebTrust
> for CA and a WebTrust for BR audit before the
On 08/01/2016 03:19, Peter Bowen wrote:
...
[1] I can imagine exactly one way they could claim to simultaneously
meet the BRs and issue MITM certificates: claim they are using a
practical control method and show that from their vantage point they
have practical control of the Internet. They cou
For the thread's reference, this is the relevant part of the application
(from attached scanned images, more extended than the text they included
inline on the Bugzilla thread) that describes the intended use:
https://s3.amazonaws.com/konklone-public/kazakh/kazakh1.png
And this section has some a
On Thu, Jan 7, 2016 at 2:34 PM, David E. Ross wrote:
> On 1/7/2016 12:29 PM, Kathleen Wilson wrote:
>> On 1/7/16 11:15 AM, Peter Bowen wrote:
>>>
>>>
>>> Until such time that the provide this, I don't see how they are any
>>> different from the thousands of private PKIs that are run by companies
On 07/01/2016 22:21, Paul Wouters wrote:
On Thu, 7 Jan 2016, Jakob Bohm wrote:
It would appear from this information, that this CA (and probably
others like it) is deliberately serving a dual role:
1. It is the legitimate trust anchor for some domains that browser
users will need to access (
On 1/7/2016 12:29 PM, Kathleen Wilson wrote:
> On 1/7/16 11:15 AM, Peter Bowen wrote:
>>
>>
>> Until such time that the provide this, I don't see how they are any
>> different from the thousands of private PKIs that are run by companies
>> for their own use. Many of those PKIs may be used to MITM
On Thu, 7 Jan 2016, Jakob Bohm wrote:
It would appear from this information, that this CA (and probably others like
it) is deliberately serving a dual role:
1. It is the legitimate trust anchor for some domains that browser
users will need to access (in this case: Kazakh government sites
u
On 07/01/2016 00:07, Paul Wouters wrote:
As was in the news before, Kazakhstan has issued a national MITM
Certificate Agency.
Is there a policy on what to do with these? While they are not trusted,
would it be useful to explicitely blacklist these, as to make it
impossible to trust even if the
On 1/7/16 11:15 AM, Peter Bowen wrote:
Until such time that the provide this, I don't see how they are any
different from the thousands of private PKIs that are run by companies
for their own use. Many of those PKIs may be used to MITM
connections.
OK. I suppose that means I should go ahead
As was in the news before, Kazakhstan has issued a national MITM
Certificate Agency.
Is there a policy on what to do with these? While they are not trusted,
would it be useful to explicitely blacklist these, as to make it
impossible to trust even if the user "wanted to" ?
The CA's are available
79 matches
Mail list logo
