Seems like something happen early Friday morning.[1] [1] https://censoredplanet.org/kazakhstan/live
On Sun, Jul 28, 2019 at 2:43 PM John Erling Blad <jeb...@gmail.com> wrote: > You are right. “Firefox and Chrome disable pin validation for pinned hosts > whose validated certificate chain terminates at a user-defined trust anchor > (rather than a built-in trust anchor). This means that for users who > imported custom root certificates all pinning violations are ignored.” [1] > > [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning > > On Sun, Jul 28, 2019 at 2:07 PM Alex Monk <kren...@gmail.com> wrote: > >> Correct me if I'm wrong but I believe browsers always ignored HPKP rules >> when presented with a cert signed by a CA that is locally installed rather >> than default. >> >> On Sun, 28 Jul 2019, 12:58 John Erling Blad, <jeb...@gmail.com> wrote: >> >> > The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but >> > Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the >> > MITM attack possible, by forcing the users to install the root >> certificate, >> > as many of the sites listed has been on the HPKP list. With HPKP in >> place >> > the scheme would be somewhat harder to implement. >> > >> > [1] https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning >> > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438 >> > >> > On Fri, Jul 26, 2019 at 3:05 PM Yury Bulka < >> > setthemf...@privacyrequired.com> >> > wrote: >> > >> > > I don't see any position from Mozilla on this yet: >> > > https://bugzilla.mozilla.org/show_bug.cgi?id=1567114 >> > > >> > > >> > >> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhACo3E >> > > >> > > Couldn't find anything about Google Chrome. >> > > >> > > Meanwhile, I have emailed secur...@wikimedia.org with a link to this >> > > discussion (hope it's not a terribly inappropriate thing to do). >> > > >> > > I'd be great to hear from WMF about their view on this. >> > > >> > > Best, >> > > Yury. >> > > >> > > Yury Bulka <setthemf...@privacyrequired.com> writes: >> > > >> > > > I'm not in Kazakhstan and am not in directly touch with any of >> > > > wikimedians there, so I don't know their position. >> > > > >> > > > However, I'm not sure how much freedom they have in expressing their >> > > > honest opinion about this publicly. Simply because it is always a >> > > > pros-and-cons calculation to criticise your local goverment in such >> > > > situations. >> > > > >> > > > Yaroslav Blanter <ymb...@gmail.com> writes: >> > > > >> > > >> I do not think Kazakhstan has a chapter. In the past, some Kazakh >> > > >> Wikimedians enjoyed close collaboration with the government (for >> > > example, >> > > >> the Kazakhstani Encyclopedia has been released under a free license >> > and >> > > >> verbatim copied to the Kazakh Wikipedia, so that I do not expect >> much. >> > > >> >> > > >> Cheers >> > > >> Yaroslav >> > > >> >> > > >> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend < >> > homesec1...@gmail.com >> > > > >> > > >> wrote: >> > > >> >> > > >>> Yury >> > > >>> >> > > >>> What is the position of the Kazakhstan chapter on this? >> > > >>> >> > > >>> The Turnip >> > > >>> >> > > >>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka >> > > >>> <setthemf...@privacyrequired.com> wrote: >> > > >>> > >> > > >>> > I'm sure many have heard about this: >> > > >>> > >> > > >>> >> > > >> > >> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html >> > > >>> > >> > > >>> > Essentially, the government in Kazakhstan started forcing >> citizens >> > > into >> > > >>> > installing a root TLS certificate on their devices that would >> allow >> > > the >> > > >>> > government to intercept, decrypt and manipulate all HTTPS >> traffic. >> > > >>> > >> > > >>> > Without the centificate, it seems, citizens can't access HTTPS >> > pages >> > > (at >> > > >>> > least on some ISPs). >> > > >>> > >> > > >>> > I think this has serious implications for Wikipedia & >> Wikimedia, as >> > > not >> > > >>> > only they would be easily able to see which articles people >> read, >> > but >> > > >>> > also steal login credentials, depseudonymize people and even >> hijack >> > > >>> > admin accounts. >> > > >>> > >> > > >>> > Another danger is that if this effort by Kazakhstan will >> succeed, >> > > other >> > > >>> > governments may start doing the same. >> > > >>> > >> > > >>> > I wonder if WMF has any position on this yet? >> > > >>> > >> > > >>> > Best, >> > > >>> > Yury. >> > > >>> > >> > > >>> > _______________________________________________ >> > > >>> > Wikimedia-l mailing list, guidelines at: >> > > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and >> > > >>> https://meta.wikimedia.org/wiki/Wikimedia-l >> > > >>> > New messages to: Wikimedia-l@lists.wikimedia.org >> > > >>> > Unsubscribe: >> > > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, >> > > >>> <mailto:wikimedia-l-requ...@lists.wikimedia.org >> ?subject=unsubscribe> >> > > >>> >> > > >>> _______________________________________________ >> > > >>> Wikimedia-l mailing list, guidelines at: >> > > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and >> > > >>> https://meta.wikimedia.org/wiki/Wikimedia-l >> > > >>> New messages to: Wikimedia-l@lists.wikimedia.org >> > > >>> Unsubscribe: >> > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, >> > > >>> <mailto:wikimedia-l-requ...@lists.wikimedia.org >> ?subject=unsubscribe> >> > > >> _______________________________________________ >> > > >> Wikimedia-l mailing list, guidelines at: >> > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and >> > > https://meta.wikimedia.org/wiki/Wikimedia-l >> > > >> New messages to: Wikimedia-l@lists.wikimedia.org >> > > >> Unsubscribe: >> https://lists.wikimedia.org/mailman/listinfo/wikimedia-l >> > , >> > > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> >> > > > >> > > > _______________________________________________ >> > > > Wikimedia-l mailing list, guidelines at: >> > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and >> > > https://meta.wikimedia.org/wiki/Wikimedia-l >> > > > New messages to: Wikimedia-l@lists.wikimedia.org >> > > > Unsubscribe: >> https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, >> > > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> >> > > >> > > >> > > _______________________________________________ >> > > Wikimedia-l mailing list, guidelines at: >> > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and >> > > https://meta.wikimedia.org/wiki/Wikimedia-l >> > > New messages to: Wikimedia-l@lists.wikimedia.org >> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l >> , >> > > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> >> > _______________________________________________ >> > Wikimedia-l mailing list, guidelines at: >> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and >> > https://meta.wikimedia.org/wiki/Wikimedia-l >> > New messages to: Wikimedia-l@lists.wikimedia.org >> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, >> > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> >> _______________________________________________ >> Wikimedia-l mailing list, guidelines at: >> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and >> https://meta.wikimedia.org/wiki/Wikimedia-l >> New messages to: Wikimedia-l@lists.wikimedia.org >> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, >> <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > > _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>