Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-08-26 Thread Yury Bulka
Hm, interesting - the page reports 404 if JS is disabled, but loads otherwise. Thanks for the hint. Also sharing Mozilla's statement: https://blog.mozilla.org/blog/2019/08/21/mozilla-takes-action-to-protect-users-in-kazakhstan/ Good to know. RhinosF1 writes: > link works fine for me Yury > >

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-08-23 Thread RhinosF1
link works fine for me Yury On Fri, 23 Aug 2019 at 10:29, Yury Bulka wrote: > I'm getting a 404:( > > John Erling Blad writes: > > > Google, Apple, Mozilla move to block Kazakh surveillance system > > > > >

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-08-23 Thread Yury Bulka
I'm getting a 404:( John Erling Blad writes: > Google, Apple, Mozilla move to block Kazakh surveillance system > > https://www.reuters.com/article/us-kazakhstan-internet-surveillance/google-apple-mozilla-move-to-block-kazakh-surveillance-system-idUSKCN1VB17Q >

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-08-23 Thread John Erling Blad
Google, Apple, Mozilla move to block Kazakh surveillance system https://www.reuters.com/article/us-kazakhstan-internet-surveillance/google-apple-mozilla-move-to-block-kazakh-surveillance-system-idUSKCN1VB17Q ___ Wikimedia-l mailing list, guidelines at:

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-28 Thread Thomas Townsend
Yaroslav If there is no local chapter willing and able to take action, then presumably it falls to WMF central to do so, as they have in the USA and Turkey The Turnip On Tue, 23 Jul 2019 at 12:41, Yaroslav Blanter wrote: > > I do not think Kazakhstan has a chapter. In the past, some Kazakh >

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-28 Thread John Erling Blad
Seems like something happen early Friday morning.[1] [1] https://censoredplanet.org/kazakhstan/live On Sun, Jul 28, 2019 at 2:43 PM John Erling Blad wrote: > You are right. “Firefox and Chrome disable pin validation for pinned hosts > whose validated certificate chain terminates at a

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-28 Thread John Erling Blad
You are right. “Firefox and Chrome disable pin validation for pinned hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored.” [1]

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-28 Thread Chico Venancio
FYI, it seems Wikimedia is not being intercepted at the moment. https://censoredplanet.org/kazakhstan Of course, that may change. It may also be relevant that Wikimedia uses HSTS, and that will make it difficult for users to access the sites with intercepted certificates if they have accessed

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-28 Thread Alex Monk
Correct me if I'm wrong but I believe browsers always ignored HPKP rules when presented with a cert signed by a CA that is locally installed rather than default. On Sun, 28 Jul 2019, 12:58 John Erling Blad, wrote: > The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but >

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-28 Thread John Erling Blad
The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the MITM attack possible, by forcing the users to install the root certificate, as many of the sites listed has been on the HPKP list. With HPKP in place

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-26 Thread Yury Bulka
I don't see any position from Mozilla on this yet: https://bugzilla.mozilla.org/show_bug.cgi?id=1567114 https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhACo3E Couldn't find anything about Google Chrome. Meanwhile, I have emailed secur...@wikimedia.org with a link to this

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-23 Thread Yury Bulka
I'm not in Kazakhstan and am not in directly touch with any of wikimedians there, so I don't know their position. However, I'm not sure how much freedom they have in expressing their honest opinion about this publicly. Simply because it is always a pros-and-cons calculation to criticise your

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-23 Thread Yaroslav Blanter
I do not think Kazakhstan has a chapter. In the past, some Kazakh Wikimedians enjoyed close collaboration with the government (for example, the Kazakhstani Encyclopedia has been released under a free license and verbatim copied to the Kazakh Wikipedia, so that I do not expect much. Cheers

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-23 Thread Thomas Townsend
Yury What is the position of the Kazakhstan chapter on this? The Turnip On Sun, 21 Jul 2019 at 11:36, Yury Bulka wrote: > > I'm sure many have heard about this: > https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html > > Essentially, the government in Kazakhstan started

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-23 Thread Yury Bulka
Honestly, I am not sure what actions would be appropriate. My initial reaction was - Wikipedia (and all Wikimedia sites) is HTTPS-only, and this undermines HTTPS as such. So if Wikipedia should only be accessible over (real, no man-in-the-middle) HTTPS, perhaps requests that don't meet this

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-22 Thread rupert THURNER
displaying a warning that there is a MITM which reads all passwords and banking information sounds nice, yuri. there even seems to be ways to detect this client-server side: https://www.reddit.com/r/javascript/comments/7ldypq/is_it_possible_to_detect_mitm_by_javascript_in_a/ - you mean something

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-22 Thread George Herbert
Browser vendors could revoke the root that Kazakh authorities are using for the scheme. On Mon, Jul 22, 2019 at 5:35 AM Yuri Astrakhan wrote: > I don't think browser vendors will block the ability to install a custom > root certificate because some corp clients may use it for exactly the same >

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-22 Thread Yuri Astrakhan
I don't think browser vendors will block the ability to install a custom root certificate because some corp clients may use it for exactly the same reason -- creating an HTTPS proxy with fake certs in order to analyze internal traffic (in the name of monitoring/security). Browser vendors could

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-22 Thread Steinsplitter Wiki
That's shocking... >> I think this has serious implications for Wikipedia & Wikimedia, as not >> only they would be easily able to see which articles people read, but >> also steal login credentials, depseudonymize people and even hijack >> admin accounts. Yes, they can de-crypt the traffic.