Correct me if I'm wrong but I believe browsers always ignored HPKP rules when presented with a cert signed by a CA that is locally installed rather than default.
On Sun, 28 Jul 2019, 12:58 John Erling Blad, <jeb...@gmail.com> wrote: > The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but > Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the > MITM attack possible, by forcing the users to install the root certificate, > as many of the sites listed has been on the HPKP list. With HPKP in place > the scheme would be somewhat harder to implement. > > [1] https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438 > > On Fri, Jul 26, 2019 at 3:05 PM Yury Bulka < > setthemf...@privacyrequired.com> > wrote: > > > I don't see any position from Mozilla on this yet: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1567114 > > > > > https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhACo3E > > > > Couldn't find anything about Google Chrome. > > > > Meanwhile, I have emailed secur...@wikimedia.org with a link to this > > discussion (hope it's not a terribly inappropriate thing to do). > > > > I'd be great to hear from WMF about their view on this. > > > > Best, > > Yury. > > > > Yury Bulka <setthemf...@privacyrequired.com> writes: > > > > > I'm not in Kazakhstan and am not in directly touch with any of > > > wikimedians there, so I don't know their position. > > > > > > However, I'm not sure how much freedom they have in expressing their > > > honest opinion about this publicly. Simply because it is always a > > > pros-and-cons calculation to criticise your local goverment in such > > > situations. > > > > > > Yaroslav Blanter <ymb...@gmail.com> writes: > > > > > >> I do not think Kazakhstan has a chapter. In the past, some Kazakh > > >> Wikimedians enjoyed close collaboration with the government (for > > example, > > >> the Kazakhstani Encyclopedia has been released under a free license > and > > >> verbatim copied to the Kazakh Wikipedia, so that I do not expect much. > > >> > > >> Cheers > > >> Yaroslav > > >> > > >> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend < > homesec1...@gmail.com > > > > > >> wrote: > > >> > > >>> Yury > > >>> > > >>> What is the position of the Kazakhstan chapter on this? > > >>> > > >>> The Turnip > > >>> > > >>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka > > >>> <setthemf...@privacyrequired.com> wrote: > > >>> > > > >>> > I'm sure many have heard about this: > > >>> > > > >>> > > > https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html > > >>> > > > >>> > Essentially, the government in Kazakhstan started forcing citizens > > into > > >>> > installing a root TLS certificate on their devices that would allow > > the > > >>> > government to intercept, decrypt and manipulate all HTTPS traffic. > > >>> > > > >>> > Without the centificate, it seems, citizens can't access HTTPS > pages > > (at > > >>> > least on some ISPs). > > >>> > > > >>> > I think this has serious implications for Wikipedia & Wikimedia, as > > not > > >>> > only they would be easily able to see which articles people read, > but > > >>> > also steal login credentials, depseudonymize people and even hijack > > >>> > admin accounts. > > >>> > > > >>> > Another danger is that if this effort by Kazakhstan will succeed, > > other > > >>> > governments may start doing the same. > > >>> > > > >>> > I wonder if WMF has any position on this yet? > > >>> > > > >>> > Best, > > >>> > Yury. > > >>> > > > >>> > _______________________________________________ > > >>> > Wikimedia-l mailing list, guidelines at: > > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > > >>> https://meta.wikimedia.org/wiki/Wikimedia-l > > >>> > New messages to: Wikimedia-l@lists.wikimedia.org > > >>> > Unsubscribe: > > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > > >>> <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > > >>> > > >>> _______________________________________________ > > >>> Wikimedia-l mailing list, guidelines at: > > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > > >>> https://meta.wikimedia.org/wiki/Wikimedia-l > > >>> New messages to: Wikimedia-l@lists.wikimedia.org > > >>> Unsubscribe: > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > > >>> <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > > >> _______________________________________________ > > >> Wikimedia-l mailing list, guidelines at: > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > > https://meta.wikimedia.org/wiki/Wikimedia-l > > >> New messages to: Wikimedia-l@lists.wikimedia.org > > >> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l > , > > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > > > > > > _______________________________________________ > > > Wikimedia-l mailing list, guidelines at: > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > > https://meta.wikimedia.org/wiki/Wikimedia-l > > > New messages to: Wikimedia-l@lists.wikimedia.org > > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > > > > > > _______________________________________________ > > Wikimedia-l mailing list, guidelines at: > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > > https://meta.wikimedia.org/wiki/Wikimedia-l > > New messages to: Wikimedia-l@lists.wikimedia.org > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > _______________________________________________ > Wikimedia-l mailing list, guidelines at: > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > https://meta.wikimedia.org/wiki/Wikimedia-l > New messages to: Wikimedia-l@lists.wikimedia.org > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>