Hm, interesting - the page reports 404 if JS is disabled, but loads
otherwise. Thanks for the hint. Also sharing Mozilla's statement:
Good to know.
> link works fine for me Yury
link works fine for me Yury
On Fri, 23 Aug 2019 at 10:29, Yury Bulka
> I'm getting a 404:(
> John Erling Blad writes:
> > Google, Apple, Mozilla move to block Kazakh surveillance system
I'm getting a 404:(
John Erling Blad writes:
> Google, Apple, Mozilla move to block Kazakh surveillance system
Google, Apple, Mozilla move to block Kazakh surveillance system
Wikimedia-l mailing list, guidelines at:
If there is no local chapter willing and able to take action, then
presumably it falls to WMF central to do so, as they have in the USA
On Tue, 23 Jul 2019 at 12:41, Yaroslav Blanter wrote:
> I do not think Kazakhstan has a chapter. In the past, some Kazakh
Seems like something happen early Friday morning.
On Sun, Jul 28, 2019 at 2:43 PM John Erling Blad wrote:
> You are right. “Firefox and Chrome disable pin validation for pinned hosts
> whose validated certificate chain terminates at a
You are right. “Firefox and Chrome disable pin validation for pinned hosts
whose validated certificate chain terminates at a user-defined trust anchor
(rather than a built-in trust anchor). This means that for users who
imported custom root certificates all pinning violations are ignored.” 
FYI, it seems Wikimedia is not being intercepted at the moment.
Of course, that may change.
It may also be relevant that Wikimedia uses HSTS, and that will make it
difficult for users to access the sites with intercepted certificates if
they have accessed
Correct me if I'm wrong but I believe browsers always ignored HPKP rules
when presented with a cert signed by a CA that is locally installed rather
On Sun, 28 Jul 2019, 12:58 John Erling Blad, wrote:
> The Kazakhstan MITM could be stopped by HTTP Public Key Pinning , but
The Kazakhstan MITM could be stopped by HTTP Public Key Pinning , but
Chrome seems to have dropped support for HPKP? Dropping HPKP made the
MITM attack possible, by forcing the users to install the root certificate,
as many of the sites listed has been on the HPKP list. With HPKP in place
I don't see any position from Mozilla on this yet:
Couldn't find anything about Google Chrome.
Meanwhile, I have emailed secur...@wikimedia.org with a link to this
I'm not in Kazakhstan and am not in directly touch with any of
wikimedians there, so I don't know their position.
However, I'm not sure how much freedom they have in expressing their
honest opinion about this publicly. Simply because it is always a
pros-and-cons calculation to criticise your
I do not think Kazakhstan has a chapter. In the past, some Kazakh
Wikimedians enjoyed close collaboration with the government (for example,
the Kazakhstani Encyclopedia has been released under a free license and
verbatim copied to the Kazakh Wikipedia, so that I do not expect much.
What is the position of the Kazakhstan chapter on this?
On Sun, 21 Jul 2019 at 11:36, Yury Bulka
> I'm sure many have heard about this:
> Essentially, the government in Kazakhstan started
Honestly, I am not sure what actions would be appropriate.
My initial reaction was - Wikipedia (and all Wikimedia sites) is
HTTPS-only, and this undermines HTTPS as such.
So if Wikipedia should only be accessible over (real, no
man-in-the-middle) HTTPS, perhaps requests that don't meet this
displaying a warning that there is a MITM which reads all passwords and
banking information sounds nice, yuri. there even seems to be ways to
detect this client-server side:
you mean something
Browser vendors could revoke the root that Kazakh authorities are using for
On Mon, Jul 22, 2019 at 5:35 AM Yuri Astrakhan
> I don't think browser vendors will block the ability to install a custom
> root certificate because some corp clients may use it for exactly the same
I don't think browser vendors will block the ability to install a custom
root certificate because some corp clients may use it for exactly the same
reason -- creating an HTTPS proxy with fake certs in order to analyze
internal traffic (in the name of monitoring/security).
Browser vendors could
>> I think this has serious implications for Wikipedia & Wikimedia, as not
>> only they would be easily able to see which articles people read, but
>> also steal login credentials, depseudonymize people and even hijack
>> admin accounts.
Yes, they can de-crypt the traffic.
Mail list logo