I don't think browser vendors will block the ability to install a custom root certificate because some corp clients may use it for exactly the same reason -- creating an HTTPS proxy with fake certs in order to analyze internal traffic (in the name of monitoring/security).
Browser vendors could make it more difficult to install, so that it would require the corp IT department to do some magic, or even release two versions of the browser - corp and general (with blocked uncertified root certs), but at the end of the day those could be worked around. The biggest deterrent in my opinion is to educating the users of the dangers such certs would do (i.e. all your passwords and bank info will be viewable by ISPs) - thus it would be social rather than purely technical solution. On Mon, Jul 22, 2019 at 1:33 PM Steinsplitter Wiki < [email protected]> wrote: > That's shocking... > > >> I think this has serious implications for Wikipedia & Wikimedia, as not > >> only they would be easily able to see which articles people read, but > >> also steal login credentials, depseudonymize people and even hijack > >> admin accounts. > > Yes, they can de-crypt the traffic. Hopefully browser vendors will > disallow the root certificate. > IMHO there isn't much WP can do, expect showing a warning if somebody is > trying to login > from the country in question. > > --Steinsplitter > > ________________________________ > Von: Wikimedia-l <[email protected]> im Auftrag von > Yury Bulka <[email protected]> > Gesendet: Sonntag, 21. Juli 2019 12:36 > An: [email protected] <[email protected]> > Betreff: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan > > I'm sure many have heard about this: > > https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html > > Essentially, the government in Kazakhstan started forcing citizens into > installing a root TLS certificate on their devices that would allow the > government to intercept, decrypt and manipulate all HTTPS traffic. > > Without the centificate, it seems, citizens can't access HTTPS pages (at > least on some ISPs). > > I think this has serious implications for Wikipedia & Wikimedia, as not > only they would be easily able to see which articles people read, but > also steal login credentials, depseudonymize people and even hijack > admin accounts. > > Another danger is that if this effort by Kazakhstan will succeed, other > governments may start doing the same. > > I wonder if WMF has any position on this yet? > > Best, > Yury. > > _______________________________________________ > Wikimedia-l mailing list, guidelines at: > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > https://meta.wikimedia.org/wiki/Wikimedia-l > New messages to: [email protected] > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > <mailto:[email protected]?subject=unsubscribe> > _______________________________________________ > Wikimedia-l mailing list, guidelines at: > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > https://meta.wikimedia.org/wiki/Wikimedia-l > New messages to: [email protected] > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > <mailto:[email protected]?subject=unsubscribe> _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l New messages to: [email protected] Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[email protected]?subject=unsubscribe>
