Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

[rupert THURNER]

displaying a warning that there is a MITM which reads all passwords and
banking information sounds nice, yuri. there even seems to be ways to
detect this client-server side:
https://www.reddit.com/r/javascript/comments/7ldypq/is_it_possible_to_detect_mitm_by_javascript_in_a/
-
you mean something like this would do, yury?

george, the trusted root certificates would be configurable, usually, like
for chrome here:
https://support.securly.com/hc/en-us/articles/206081828-How-to-manually-install-the-Securly-SSL-certificate-in-Chrome
companies pay money to get into this list, so they can easier sell their
website certificates. closing down the list for sure leads to some
anti-trust legal action in other countries.

btw, recently there was a blog post from a developer in iran, saying the
same :
https://shahinsorkh.ir/2019/07/20/how-is-it-like-to-be-a-dev-in-iran

this had an even more surprising aspect - not only would the country block
access to some site - but sites itself decided to remove users having a
relationship with that country:
"Slack team, decided to join the sanctions. They simply deleted every
single user who they found out is Iranian! With no real prior notices! Many
people has lost their data on Slack and no one was going to do anything!"

rupert


On Mon, Jul 22, 2019 at 7:05 PM George Herbert 
wrote:

> Browser vendors could revoke the root that Kazakh authorities are using for
> the scheme.
>
> On Mon, Jul 22, 2019 at 5:35 AM Yuri Astrakhan 
> wrote:
>
> > I don't think browser vendors will block the ability to install a custom
> > root certificate because some corp clients may use it for exactly the
> same
> > reason -- creating an HTTPS proxy with fake certs in order to analyze
> > internal traffic (in the name of monitoring/security).
> >
> > Browser vendors could make it more difficult to install, so that it would
> > require the corp IT department to do some magic, or even release two
> > versions of the browser - corp and general (with blocked uncertified root
> > certs), but at the end of the day those could be worked around.
> >
> > The biggest deterrent in my opinion is to educating the users of the
> > dangers such certs would do (i.e. all your passwords and bank info will
> be
> > viewable by ISPs) - thus it would be social rather than purely technical
> > solution.
> >
> > On Mon, Jul 22, 2019 at 1:33 PM Steinsplitter Wiki <
> > steinsplit...@wikipedia.de> wrote:
> >
> > > That's shocking...
> > >
> > > >> I think this has serious implications for Wikipedia & Wikimedia, as
> > not
> > > >> only they would be easily able to see which articles people read,
> but
> > > >> also steal login credentials, depseudonymize people and even hijack
> > > >> admin accounts.
> > >
> > > Yes, they can de-crypt the traffic. Hopefully browser vendors will
> > > disallow the root certificate.
> > > IMHO there isn't much WP can do, expect showing a warning if somebody
> is
> > > trying to login
> > > from the country in question.
> > >
> > > --Steinsplitter
> > >
> > > 
> > > Von: Wikimedia-l  im Auftrag
> > von
> > > Yury Bulka 
> > > Gesendet: Sonntag, 21. Juli 2019 12:36
> > > An: wikimedia-l@lists.wikimedia.org 
> > > Betreff: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan
> > >
> > > I'm sure many have heard about this:
> > >
> > >
> >
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> > >
> > > Essentially, the government in Kazakhstan started forcing citizens into
> > > installing a root TLS certificate on their devices that would allow the
> > > government to intercept, decrypt and manipulate all HTTPS traffic.
> > >
> > > Without the centificate, it seems, citizens can't access HTTPS pages
> (at
> > > least on some ISPs).
> > >
> > > I think this has serious implications for Wikipedia & Wikimedia, as not
> > > only they would be easily able to see which articles people read, but
> > > also steal login credentials, depseudonymize people and even hijack
> > > admin accounts.
> > >
> > > Another danger is that if this effort by Kazakhstan will succeed, other
> > > governments may start doing the same.
> > >
> > > I wonder if WMF has any position on this yet?
> > >
> > > Best,
> > > Yury.
> > >
> > > ___
> > > Wikimedia-l mailing list, guidelines at:
> > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > > https://meta.wikimedia.org/wiki/Wikimedia-l
> > > New messages to: Wikimedia-l@lists.wikimedia.org
> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > > 
> > > ___
> > > Wikimedia-l mailing list, guidelines at:
> > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > > https://meta.wikimedia.org/wiki/Wikimedia-l
> > > New messages to: Wikimedia-l@lists.wikimedia.org
> > > Unsubscribe: https://lists.wikimedia.or

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

[George Herbert]

Browser vendors could revoke the root that Kazakh authorities are using for
the scheme.

On Mon, Jul 22, 2019 at 5:35 AM Yuri Astrakhan 
wrote:

> I don't think browser vendors will block the ability to install a custom
> root certificate because some corp clients may use it for exactly the same
> reason -- creating an HTTPS proxy with fake certs in order to analyze
> internal traffic (in the name of monitoring/security).
>
> Browser vendors could make it more difficult to install, so that it would
> require the corp IT department to do some magic, or even release two
> versions of the browser - corp and general (with blocked uncertified root
> certs), but at the end of the day those could be worked around.
>
> The biggest deterrent in my opinion is to educating the users of the
> dangers such certs would do (i.e. all your passwords and bank info will be
> viewable by ISPs) - thus it would be social rather than purely technical
> solution.
>
> On Mon, Jul 22, 2019 at 1:33 PM Steinsplitter Wiki <
> steinsplit...@wikipedia.de> wrote:
>
> > That's shocking...
> >
> > >> I think this has serious implications for Wikipedia & Wikimedia, as
> not
> > >> only they would be easily able to see which articles people read, but
> > >> also steal login credentials, depseudonymize people and even hijack
> > >> admin accounts.
> >
> > Yes, they can de-crypt the traffic. Hopefully browser vendors will
> > disallow the root certificate.
> > IMHO there isn't much WP can do, expect showing a warning if somebody is
> > trying to login
> > from the country in question.
> >
> > --Steinsplitter
> >
> > 
> > Von: Wikimedia-l  im Auftrag
> von
> > Yury Bulka 
> > Gesendet: Sonntag, 21. Juli 2019 12:36
> > An: wikimedia-l@lists.wikimedia.org 
> > Betreff: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan
> >
> > I'm sure many have heard about this:
> >
> >
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> >
> > Essentially, the government in Kazakhstan started forcing citizens into
> > installing a root TLS certificate on their devices that would allow the
> > government to intercept, decrypt and manipulate all HTTPS traffic.
> >
> > Without the centificate, it seems, citizens can't access HTTPS pages (at
> > least on some ISPs).
> >
> > I think this has serious implications for Wikipedia & Wikimedia, as not
> > only they would be easily able to see which articles people read, but
> > also steal login credentials, depseudonymize people and even hijack
> > admin accounts.
> >
> > Another danger is that if this effort by Kazakhstan will succeed, other
> > governments may start doing the same.
> >
> > I wonder if WMF has any position on this yet?
> >
> > Best,
> > Yury.
> >
> > ___
> > Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > New messages to: Wikimedia-l@lists.wikimedia.org
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > 
> > ___
> > Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > New messages to: Wikimedia-l@lists.wikimedia.org
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > 
> ___
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 



-- 
-george william herbert
george.herb...@gmail.com
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

[Wikimedia-l] An update on the ECHR filing to lift the Wikipedia block in Turkey

[Gregory Varnum]

Hello!

I am writing to provide an update on the status of the petition that the
Wikimedia Foundation filed with the European Court of Human Rights (ECHR)
in May to lift the more than two-year block of Wikipedia in Turkey.[1]

As you may know, many petitions brought before the ECHR are not granted a
hearing by the Court, and, even when the hearing is granted, the process of
reaching a resolution can take years. We understood these considerations
when we filed the petition, but were hopeful that the Court would recognize
the public importance of the case.

The ECHR has acted extremely quickly in this case. On July 2, the Court
responded to the petition by giving the case “priority treatment”, and
sending official correspondence to us and to Turkish authorities with
notification of this designation. The Government of Turkey now has until
October 24 to respond by submitting their own observations on the case to
the Court. We feel this is a clear indication that the case is being taken
seriously.

You can read more information on the Wikimedia Foundation website:
https://wikimediafoundation.org/news/2019/07/22/our-legal-case-against-turkeys-block-of-wikipedia-has-been-expedited-heres-what-that-means/

We invite you to join us in sharing this news within your networks. You can
do so on social media by retweeting @Wikipedia and sharing messages of your
own. We have also posted a social media toolkit on Meta-Wiki with hashtags,
draft messages, and graphics (coming later today) for folks to utilize:
https://meta.wikimedia.org/wiki/Communications/Unblock_campaigns

We are optimistic about this development and look forward to sharing any
future updates with you.

-greg

[1]
https://wikimediafoundation.org/news/2019/05/23/wikimedia-foundation-petitions-the-european-court-of-human-rights-to-lift-the-block-of-wikipedia-in-turkey/

-- 

Gregory Varnum (pronouns - he/his/him)

Communications Strategist

Wikimedia Foundation 
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

[Yuri Astrakhan]

I don't think browser vendors will block the ability to install a custom
root certificate because some corp clients may use it for exactly the same
reason -- creating an HTTPS proxy with fake certs in order to analyze
internal traffic (in the name of monitoring/security).

Browser vendors could make it more difficult to install, so that it would
require the corp IT department to do some magic, or even release two
versions of the browser - corp and general (with blocked uncertified root
certs), but at the end of the day those could be worked around.

The biggest deterrent in my opinion is to educating the users of the
dangers such certs would do (i.e. all your passwords and bank info will be
viewable by ISPs) - thus it would be social rather than purely technical
solution.

On Mon, Jul 22, 2019 at 1:33 PM Steinsplitter Wiki <
steinsplit...@wikipedia.de> wrote:

> That's shocking...
>
> >> I think this has serious implications for Wikipedia & Wikimedia, as not
> >> only they would be easily able to see which articles people read, but
> >> also steal login credentials, depseudonymize people and even hijack
> >> admin accounts.
>
> Yes, they can de-crypt the traffic. Hopefully browser vendors will
> disallow the root certificate.
> IMHO there isn't much WP can do, expect showing a warning if somebody is
> trying to login
> from the country in question.
>
> --Steinsplitter
>
> 
> Von: Wikimedia-l  im Auftrag von
> Yury Bulka 
> Gesendet: Sonntag, 21. Juli 2019 12:36
> An: wikimedia-l@lists.wikimedia.org 
> Betreff: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan
>
> I'm sure many have heard about this:
>
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
>
> Essentially, the government in Kazakhstan started forcing citizens into
> installing a root TLS certificate on their devices that would allow the
> government to intercept, decrypt and manipulate all HTTPS traffic.
>
> Without the centificate, it seems, citizens can't access HTTPS pages (at
> least on some ISPs).
>
> I think this has serious implications for Wikipedia & Wikimedia, as not
> only they would be easily able to see which articles people read, but
> also steal login credentials, depseudonymize people and even hijack
> admin accounts.
>
> Another danger is that if this effort by Kazakhstan will succeed, other
> governments may start doing the same.
>
> I wonder if WMF has any position on this yet?
>
> Best,
> Yury.
>
> ___
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
> ___
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

[Steinsplitter Wiki]

That's shocking...

>> I think this has serious implications for Wikipedia & Wikimedia, as not
>> only they would be easily able to see which articles people read, but
>> also steal login credentials, depseudonymize people and even hijack
>> admin accounts.

Yes, they can de-crypt the traffic. Hopefully browser vendors will disallow the 
root certificate.
IMHO there isn't much WP can do, expect showing a warning if somebody is trying 
to login
from the country in question.

--Steinsplitter


Von: Wikimedia-l  im Auftrag von Yury 
Bulka 
Gesendet: Sonntag, 21. Juli 2019 12:36
An: wikimedia-l@lists.wikimedia.org 
Betreff: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

I'm sure many have heard about this:
https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html

Essentially, the government in Kazakhstan started forcing citizens into
installing a root TLS certificate on their devices that would allow the
government to intercept, decrypt and manipulate all HTTPS traffic.

Without the centificate, it seems, citizens can't access HTTPS pages (at
least on some ISPs).

I think this has serious implications for Wikipedia & Wikimedia, as not
only they would be easily able to see which articles people read, but
also steal login credentials, depseudonymize people and even hijack
admin accounts.

Another danger is that if this effort by Kazakhstan will succeed, other
governments may start doing the same.

I wonder if WMF has any position on this yet?

Best,
Yury.

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

[Wikimedia-l] New Wikiclubs in Tavush province

[Wikimedia Armenia Board]

Dear all,

I am glad to inform you that a memorandum has been signed between Wikimedia
Armenia Scientific-Educational NGO and Tavush Province Administration of
the Republic of Armenia, according to which the latter is obliged to


   1.

   Support the establishment and regular work of Wikiclubs in Tavush region
   2.

   Equip the Wikiclubs with notebooks, provide with fast and consistent
   internet
   3.

   Encourage the implementation of Wiki projects in the learning process
   and the active participation of teachers and students in projects carried
   out by Wikimedia Armenia
   4.

   Spread information on events carried out by Wikimedia Armenia among
   teachers of the region
   5.

   Support other educational initiatives accomplished by Wikimedia Armenia


This arrangement allows Wikimedia Armenian to increase the number of its
Wikiclubs, spread and develop the Wiki movement in Tavush region, and
contribute to expanding educational opportunities. At the moment there are
7 Wikiclubs (Gosh, Archis, Sarigyugh, Kirants, Lusahovit and two clubs in
Noyemberyan) in Tavush region. It is anticipated to gradually establish
Wikiclubs in all communities of the region.

Wikimedia Armenia NGO Chair of the Board

Vahagn Piliposyan
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,