Fella from Kazakhstan is here, the thing is that state government claims that they had finished certificate testing and provided instructions how to remove it from the devices two weeks ago (http://knb.gov.kz/ru/news/v-otnoshenii-sertifikata-bezopasno...).
I never installed that certificate and had to use VPN during this time. Still some of the people have connection issues with certain sites like facebook, gmail, etc.
Some of the companies had sued government and mobile carriers for that connection issues.
In my opinion Mozilla and Google made a right decision, there is a lot of talks of how good is Kazakhstan now for doing business, the taxes are low, it's easy to get a visas for foreigner employees, and by doing this they are losing trust to themselves.
I don't think they will manage to make a fork of some of the browsers, simply because level of the our software production is kinda low, especially in goverment sector, and people will definitely not use the browser if they will attempt to make one, they will manage to use VPN and will find other ways to just use the "normal" software.
> I don't think they will manage to make a fork of some of the browsers, simply because level of the our software production is kinda low, especially in goverment sector, and people will definitely not use the browser if they will attempt to make one
Well, they could always license browsers from other vendors, which they will, if things need to go that extent.
> they will manage to use VPN and will find other ways to just use the "normal" software
Are users in Kazakhstan willing to pay extra $5 or more per month for VPNs that respect user-privacy? If not, using free VPNs is going to only make matters worse. In India, where porn is blocked, users typically resort to using Telegram or free VPNs to satiate their desire for it; most wouldn't pay $2 per month for VPNs, even when they could afford it (since $0 VPNs are a click away and unblocks porn for them).
I can't imagine how a free VPN could be worse than an actual government-sponsored man-in-the-middle attack, particularly since VPNs don't force you to install their own CA certificate (and therefore can't intercept HTTPS connections).
Agree, but: Most free VPNs are run by state-owned actors, may also in fact be honey-pots, which are now dripping with meta-data for literally everything you do on the Internet. Whilst that is not strictly worse than MiTMd HTTPS, it is still a step in the wrong direction.
I'm not quite sure what you're insinuating about Tor. Tor is an opensource project govern by a non-profit. If you're worried about things like backdoors, that's why it was opensourced in the first place.
I'm not sure how you're connecting the CIA with Tor. I wouldn't be surprised if the CIA uses Tor. I know the State Department does.
That's a dramatic statement however and you didn't support it at all with your links. Can you back up the claim that most free VPNs are state-owned? That is what the reply was likely asking for.
Sure, they always could get a license of some of the browsers, and still it will be hard to force people switch to that browser, simply cause people are used to work in a Chrome, or Firefox, or even Edge, this software is convenient, and mostly it works perfect. It will be very hard for government, and they will lose trust even more, it's kinda painful to use services that our government provides, it's usually slow, full of bugs and it's takes long time for them to fix it.
By mentioning VPN I meant it will be the way to get a normal software if the will block the downloads and updates for the certian browsers.
Of course user privacy it's other topic and I don't think that most of the people will pay for the VPN.
> We encourage users in Kazakhstan affected by this change to research the use of virtual private network (VPN) software, or the Tor Browser, to access the Web
Mozilla should be careful suggesting the use of VPNs (without providing a disclaimer) since most of the well-marketed ones are, for all intents and purposes, MiTM blackboxes [0], owned by state-actors in some cases [1].
If folks do inadvertently flock to free VPNs, the situation would get way worse (tracking now not just limited to HTTPS, but everything above layer-2).
LinusTechTips did a video on anonymous browsing with VPNs and TOR yesterday and I wish they had been more serious on this bit. The top/pinned comment when I viewed was along the lines of "What is a good free VPN, not a trial", and LTT themselves responded something like "None. Bandwidth costs money and you should be suspicious of a VPN that doesn't make money in a clear way." Still, I bet 99% of viewers won't see a comment response.
But even then, and I realize this gets a bit tinfoily, but as a thought experiment, is there a really good, reasonably trustless, way to vet a VPN?
For example I use PIA because of word of mouth and a few incidents in the past which show trustworthiness. But how can I really prove they're not secretly backed by China and I'm paying $5/mo for higher priority access to a Chinese VPN farm? Or at the very least that they are honest on any given day about not retaining log data.
I don't know if this is helpful, but I'll mention it because it works well for me.
I use a Digital Ocean droplet and local forwarding.
$ ssh -q -D [port] [droplet-hostname]
Then setup my browser to use a proxy at localhost on [port]. Works great. You can get a "droplet", in Digital Ocean Parlance (i.e., "VPS") for as little as $5/mo, which includes 1TB/mo of data transfer. I assume other options like Linode, Vultr, etc would work as well.
There is also sshuttle, which will forward all TCP traffic on your machine to anywhere you can ssh into and run a python script:
https://github.com/sshuttle/sshuttle
It's very easy to use and setup, just do
sshuttle -r username@12.34.56.789 0/0
That's it. All your TCP traffic is now going through your remote server. If you want DNS requests to go through as well, you can add the --dns option.
I've been using sshuttle for a while and it works great. But I've always had to exclude (-x) the host address from trying to route through the sshuttle itself and ending up in a loop:
I actually did this for several years, with the added benefit that any number of my (trusted) friends could piggyback on it, given we weren't all using at once. There are dozens of great guides on this, DigitalOcean even hosts some of their own that you can practically copy paste blindly and be done.
I'll be honest though, haha, 10% of my VPN usage is legitimate stuff and 90% is just so I can feel safe streaming things illegally that are otherwise hard to purchase. So I switched over to a third party for the simplicity. If I wanted to do more than avoid an email from my ISP I would definitely go back to rolling my own. (I'm also grandfathered into PIA's older cheaper price tier which makes it easier).
That's pretty funny. I am from Kazakhstan myself and our largest (pretty much monopolist) internet provider has been encouraging ""piracy"" for as long as I can remember.
About 10 years ago a bunch of local media companies (making money from selling badly translated Hollywood movies/video games/etc) lobbied a new law making operating all torrent trackers illegal, and banning access to everything they could find carpet bombing-style.
Well, the ban lasted for less than a week, and was lifted after some heavy lobbying by said provider, who was beginning to lose a share of their most valuable customers.
Here's another anecdote: in ~2012, when I was getting an FTTH connection, their representative used a popular torrent on my machine to measure the upload/download speeds through the freshly laid cable.
I live in Nashville and we have FTTH from both AT&T and Google as well as gigabit service from Comcast. I think the problem is the US is really, really big and we widely deployed cable which has been "good enough" (DOCSIS 3.x at 300, 500Mb/s or more) that there historically hasn't been much incentive for people to deploy really expensive fiber networks.
But it is certainly improving all the time. I think services like Starlink and fixed 5G are really driving carriers to start deploying more fiber to compete.
An ssh proxy is great, but might as well just use OpenVPN if you’re hosting on DO or Vultr since I believe they both have prebuilt images you can deploy with a single click.
I use my VPS for several other things and because it already runs ssh, this was easier for me, so I've never looked into openvpn. I keep telling myself once wireguard is merged into the kernel I will really invest some time into getting up to speed on it.
We (PIA) are not backed by China. But you’re absolutely right - how do you vet trust in a VPN?
The true answer isn’t one the industry or you want to hear - you don’t. Audits don’t do much as they only prove something is true at a certain moment in time. There is still trust involved. Instead, it’s a responsibility of the VPN industry to migrate towards architectures that require lesser or zero trust.
We are working on it, and as always, I encourage anyone else in the industry (or outside of it) to reach out as this is something we should all work toward, because that’s what cypherpunks do!
> But how can I really prove they're not secretly backed by China and I'm paying $5/mo for higher priority access to a Chinese VPN farm
You can't. But you need to think of what your threat model is here. I tend to assume that FIVEYES is capable of intercepting all of my internet traffic going via a commercial VPN, but also ... that's kind of fine? My threat model is I don't want to fall victim to cyber-crime, and I want to remain relatively anonymous to large American corporations.
This might not work for some countries, but it does work for us. Kazakhstan is not China, we are not technologically-independent, and the government doesn't have an iron grip on its people. Forking open-source browsers and forcing to use them is not a feasible option for our corrupt government.
While the solution of blocking a specific CA might not be elegant or permanent, it does send a strong message to our and other governments who have been thinking of MITM-attacking their citizens.
It does get me wondering however, how viable this would be in other countries. Say, what if the UK or the US were to try to pull something like this. There's not much that Kazakhstan can do against Mozilla. However, if something similar were tried here in the US, it seems to me Mozilla would be a lot more vulnerable to government retaliation, or being forced to do what the Fed says whether they want to or not. The Mozilla Foundation is incorporated here in the US. Those board members whom are not US citizens could be deported or prevented from entering the US. Those board members whom are US citizens and residing here could be arrested. The IRS could be weaponized to revoke their 501(c)3 status. There's probably other things I'm not thinking of.
I'm not saying the US is quite that bad, or that it's going to get that bad here soon. But I don't think it's unreasonable to think that such could happen if people don't remain vigilant. We need only to look at the history of other nations abroad and our own history here to see just how quickly and easily it can and has gotten that bad in the past.
Again, I'm glad of Mozilla's and Google's technical solution to this problem. But, as it seems governments continue to lean in this direction, I worry that failing to pursue the policy angle in addition to the technical angle when addressing these problems will cause the technical solutions to be or become brittle.
Edit: I was reminded that donations to groups who do pursue the policy angle, like the EFF, would be more effective than handwringing on HN. I would encourage those of you whom are also concerned about this to do the same.
Worth looking at what the response to Mozilla's DNS-over-HTTPS system in the UK has been. Disabling it by default is a good way to avoid conflict, but means that the feature effectively doesn't exist for the vast majority of users.
The NSA was able to read Google's traffic because Google did not encrypt traffic over their fiber. When they found out that the NSA was tapping their fiber, they started encrypting that traffic. I don't know of any reason to believe that the NSA has access to decrypted Google traffic today, except via court order.
What I'd be interested to know is how the situation is past the encrypted connections, i.e. inside the data centers. If you can't wiretap the connection, it seems like a logical choice that your next angle of attack would be the data centers. While you might not get insight on Google (without cooperation), the growing centralisation would actually make it easy to access data for many smaller companies: If you can convince just Amazon to work with you, you have potential access to the data of everyone that uses AWS.
You wouldn't know of any reason to believe that the NSA had access to google traffic back when they did if Snowden didn't allow you to know. Why choose to assume they don't rather than do?
I remember being disappointed in both Apple and Microsoft when it came to some fraudulent certificates from China [0]. IIRC the situation was worse for Iphone users who have no way of manually revoking CAs on their phones/tablets.
I'm glad to see the browser developers being proactive to help protect users from this kind of thing.
I'll be very interested to see what happens when it's countries they have more connections to, who start doing this kind of thing.
For example in the UK it seems likely that the Digital Verification Act will require ISPs to block access to pornographic sites that don't comply with the legislation.
Given the rise of DNS over HTTPS, it'll be hard to comply with that requirement without some form of MITM, so if the UK ISPs do that, will Mozilla/Google/MS/Apple also block their certs...
> For example in the UK it seems likely that the Digital Verification Act will require ISPs to block access to pornographic sites that don't comply with the legislation.
While there is clearly lots of potential for abuse, this seems to me a discussion where tech companies make things awfully easy for themselves.
Like, what is the supposed process to block a website that should be blocked if browser developers do everything they can to keep the ISP from doing so? (Assuming the hosted is not cooperating)
Or is the opinion really that nothing at all should ever be blocked? No pirated media, no malware, no child porn, no nothing? Then, what gives e.g. Google the right to block apps from their app store?
“We will never tolerate any attempt, by any organization—government or otherwise—to compromise Chrome users’ data. We have implemented protections from this specific issue, and will always take action to secure our users around the world.” — Parisa Tabriz, Senior Engineering Director, Chrome
Chrome isn't preventing the certificate from being installed, they just added it to a CRLSet, so it'll be treated as revoked even if it is manually installed. Firefox is doing basically the same thing I think, probably adding the cert to OneCRL.
I must have misread "Chrome will be blocking the certificate the Kazakhstan government required users to install" as "Chrome will be blocking the certificate the Kazakhstan government required from being installed".
This is frankly big, an explicit black-list inside the browsers code to circumvent a state-base MITM attack. My only concern is: they could easily MITM and redirect users trying to downlaod this new Firefox/Chrome versions to old unpatched ones and just break the automatic update process. Although I hope that they already started distributing this update silently (like all the chrome/firefox updates) before announcing it
> In 2015, the Kazakhstan government attempted to have a root certificate included in Mozilla’s trusted root store program. After it was discovered that they were intending to use the certificate to intercept user data, Mozilla denied the request.
This strikes me as odd. Does this mean that political authorities (or major tech companies) can get their roots in the program, as long as there's no direct evidence they're using it to MITM? Seems like you'd want the opposite policy, where to get your root in the program, you have to sign a bunch of agreements about how you're going to use it and submit to regular audits to make sure you're not misusing your new authority.
As long as they deploy custom CAs to every machine they own, nothing wrong with that: there are legal requirements to log or filter stuff on company computers.
Solution is simple- don’t use business machines for personal stuff[0] and there will be nothing to intercept.
[0] this is usually already mentioned in company computer use policy anyway.
You're right but in my experience the filter is often terribly implemented. I'm often blocked from completely benign websites like code libraries because they get categorized as "Pornography or Other Harmful Material". [Personal gripe more than anything]
There's nothing harmful about it. Many organizations have a legitimate need to monitor their network traffic. For example any healthcare provider has a moral and legal requirement to ensure that protected health information isn't being improperly sent outside. Traffic monitoring and deep packet inspection is also important for intrusion detection.
If you don't like it then there is something you can do: go work somewhere else, or use your own device on your own network.
It’s harmful to me because it adds costs to development and use of technology. So it increases costs for no value and reduces my bonus payout.
Moral requirements to protect patient info has absolutely nothing to do with MITM traffic to employee banking sessions, etc.
There’s very little empirical data showing benefit of this for data loss prevention or intrusion detection. What I’ve seen is security theater by companies who make money selling these products.
The other option I have, other than quitting, is to improve company policy to focus resources away from wasteful spending toward productive. As well as to try to influence browser vendors to block this. Fortunately if Chrome and Firefox go a step further and block this behavior for companies then it’s not practical for an organization to spend money to purchase a different browser. This is possible since Microsoft went to chromium.
Why would you even consider using someone else's device to access your private financial accounts? That's just crazy from a security standpoint. Regardless of whether the browser has a MITM certificate installed or not, the device could have other monitoring and logging software installed.
That’s one way. I think a smarter way would be for browsers to compare the ssl cert in browser with some whitelist of ssl certs from a cdn or browser managed set and block when they differ (ie my browser is showing a different cert for HN than safari knows is valid, block it).
There’s quite a few ways to prevent this. Custom CAs are pretty necessary for internal networks so I don’t think they should be blocked whole cloth, but restricting how they can be used so they don’t impersonate real things would be nice.
Hmm, I think part of that has already been implemented by certificate transparency. But the reason it didn't block this attack is that CT is only enforced against public CAs, not custom installed CAs. The reason it's not enforced against custom CAs is that for people who do development and need to debug their own traffic, it's not feasible to have them submit to CT logs.
It sounds like you want all domains to be divided into 2 categories: testing/internal domains, and real domains. Where in real domains only public CAs with valid CT entries would be trusted, but in testing domains custom CAs are allowed. Maybe we could go even a step further in the division and disallow public CAs from testing domains. There's of course the question of how to distinguish a real donation from a testing domain; maybe this could be done by saying all testing domains must be in a special TLD such as .local or .testing .
This might work, but it it's still restricting developers, because if they need to debug some problem they have less options on how to do it. There might be a problem with cookies on the real domain that won't reproduce on the testing domain. And they need to maintain 2 server configs instead of 1, 1 for each domain.
I don’t use work for anything personal. It’s directly annoying because mitm’ing calls to GitHub and other package repos causes packages to blow up a bit.
My complaint isn’t about privacy, it’s about efficiency.
I expect the idea is less to prevent any possible threat and is more a) to comply with regulations and b) to log enough data so if somebody does circumvent your legally required measures, they've left enough of a trail to hang themselves.
Your org has every right to MITM your connections. You are on their hardware, on their line, doing work for them. You should have no expectation of privacy at work, and this includes your computer usage.
> To protect our users, Firefox, together with Chrome, will block the use of the Kazakhstan root CA certificate. This means that it will not be trusted by Firefox even if the user has installed it.
I don't like this (to be honest, I don't like the whole "certificate authority" thing to begin with).
I don't think my browser should meddle in my relationship with the state.
Why don't they also block every CA residing in the US? The US government coerces companies into giving away private data. How do we known that they don't share their private keys with the US government? Will Mozilla & Google take the blame when this happens? because they've declared themselves the guardians of certificate trust.
What if I legitimately need to install this certificate?
CAs use their private keys to sign website operators' public keys. They don't know the website operators' private keys. Therefore, the only way a rogue CA could intercept traffic is by issuing fake certificates with keys controlled by the attacker, which is what CT aims to detect.
Of course, CT doesn't prevent website operators from sharing their private keys with third parties, but the discussion here is about CAs, not website operators.
As I understand it, if you come across a certificate signed by a CA that claims to follow CT, but isn't in the CT logs, it's a fairly major red flag - at the very least, the certificate has been mis-issued. If the third party _does_ log it in certificate transparency, a site owner can check if any certificates have been issued that they did not ask for.
Question for those with a fuller understanding: How can a browser verify this without leaking knowledge about every SSL certificate (and thus a significant percentage of browsing history) they have seen?
When issuing the certificate, the CA submits a pre-certificate to the CT logs, and the final certificate includes a cryptographic proof that the certificate was included in the log. The browser can check that proof without needing to query a 3rd party.
Though not the US, the Dutch firm DigiNotar's root cert was blacklisted following blatant misuse.
Run by VASCO, the certificate was used to issue fraudulent certificates principally in Iran, though the company also issued certificates used by the Dutch government.
The CA was taken over by the Dutch government prior to being shut down entirely in bankruptcy proceedings. Over 10,000 client companies were affected.
VASCO was spun off to the Chicago, USA, based OneSpan.
Browser developers have specific expertise and interest in monitoring CAs, and have developed processes for identifying, resolving, or acting on misuse or abuse which individual systems operators cannot be expected to replicate.
> Mozilla doesn't think the state should meddle in your relationship with them, or the rest of the Internet.
I don't want to have a relationship with Mozilla. I use their browser to communicate with other people. The browser is merely a tool, and I would expect it to allow me to communicate with anyone I want (as long as it's technically feasible), not only people that Mozilla approves of.
What's your point? Mozilla and Google here are preventing the government bogus CA from being used to bypass encryption. You can talk to whoever you want, and in full safety (as opposed to doing so while being spied by a tyrannical government like Kazakhstan).
Installing a cert in the local root store means 'I fully trust the owner of this certificate'. It is an intentional feature of TLS to use this to be able to consensually MitM a TLS connection.
Yet here, western companies have decided that, regardless of whether the user wants to be Man in the Middle -ed by Kazakhstan, they simply cannot.
This is inherently a political and not a technical decision. What Kazakhstan is doing is not actually breaking TLS, but instead using a feature.
I guess the real problem is that it's not immediately obvious to non-technical users what the implications are of installing a government-issued MITM CA certificate.
That could potentially be fixed with better UI, but even then it's rather hard to communicate the danger when the user is under the influence of a social engineering attack from their own ISP. (E.g. "This certificate is needed to ensure your security. Just ignore that warning from your browser, it's not important.)
This is not a social engineering attack, or at least it need not be. It is simply made a requirement; block any connections to the outside that do not use the certificate. Then people have a choice of no HTTPS (which blocks many big sites) or HTTPS that is MitMed by the government.
Incidentally, the above is why the 'consensual MitM-ing through a root-Cert is a feature of TLS' does not hold op. It is not consensual, it is not even coerced, it is a hard requirement. You could then go into an argument about national sovereignty / complying with local laws, but that is a totally different argument.
If I want to talk to the tyrannical government using their CA, I can't do it using Chrome or Firefox.
Look, I'm as pro-freedom as they come and I'm against coercing people to install certificates, but I also think good tools don't leverage their popularity to push their political opinions, even if I agree with those opinions. Good tools allow their user to do whatever is technically possible, even if the tool maker doesn't like that use-case.
The political and personal relationships of the user fall outside the realm of concern of the tool.
> credible reports that internet service providers in Kazakhstan have required people in the country to download and install a government-issued certificate on all devices and in every browser in order to access the internet
Maybe for some it was a choice. Anyway, it's not the web browser's business.
If my anyone is coercing me to do something, it's a problem between that person and me. I don't want Mozilla lecturing me on politics, I just want to use the browser.
This is lies. They did not require people to install anything. They MITMed only mobile internet. They MITMed only one city. On this city only few domains were MITMed. Only a fraction of connections to those domains were MITMed.
So in practice I think that most people did not even notice anything. And those who noticed could just press F5 few times. Or use VPN as many people do anyway.
I don't think my browser should meddle in my relationship with the state.
Neither do I, but in practice the browsers already do meddle in your relationship with the state: they decided to include that certificate in the first place!
I'm somewhat surprised that Mozilla went this route, because I recall during discussions, there was concern that explicitly blacklisting a country's root CA could lead the country to simply fork and release its own nation-state browser with the root CA trusted. That would be bad for everyone for many reasons, not the least of which being that the nation-state forked browser would likely be perpetually behind the main branch in terms of bugfixes and security updates.
What would these vendors do if the US Government made a law requiring the USG receive all US CA private keys, or some other encryption backdoor? Would they be able to put these kinds of changes in, or wouldn't that be circumventing the law?
Handling over CA keys wouldn't allow them to mitm things - you'd need the server operators private key for that. This could allow them to issue new certs, but they'd have to be added to certificate transparency to be valid, and everyone would know rather quickly if they tried.
Mozilla is a little late, to be honest, because now the testing of a "security certificate" is over and the government (temporarily?) gave up an idea to force everyone to install the certificate.
But I think it is important that OS or browser's UI would display true information about consequences of installing a certificate because government usually lies about it, telling something like it is necessary to protect users when browsing the Internet. For example, Android shows a reminder when third-party root certificate is installed and offers a quick way to remove it.
It was deprecated, but still some users have connection issues, I still have no access to a gmail from a office network without VPN. This is what I mean by saying that our state software is lame, they deprecated the cert two weeks ago and there is still issues with connection, and I'm sure they kinda don't care.
I have feeling that they had gathered database with usernames and passwords, cause only certian sites were targeted to use mitm, mostly it was mail services like gmail and social networks, facebook, youtube and others. Other sites were working fine even without that cert.
And after that mitm they had to stop, due to people's discontent and lawsuits. These are also reputational losses, it is unlikely that foreign companies will want to do business in a country in which personal data treated this way and where government wants to see all your passwords from email services and bank accounts.
There was also a question about ensuring the security of a root certificate that can decrypt data, it could easily get to third parties who could use it for their own purposes.
Connection issues and MITM are a different things. Connection issues is just bad ISP. This mozilla blacklist does nothing. They'll generate new certificate, put it on website, enable country-wide MITM for few days until protests calm down and then turn the whole thing off. And Mozilla will blacklist that certificate few months later, LoL.
I think that currently this certificate is used in state organizations and I have to work with Internet from there. Obviously VPN is not an option. I would hate to use IE instead of Firefox just because of that. I guess I would use some old version and prevent it from upgrade, but that's just stupid.
Also I really dislike that Mozilla wants to decide who should I trust. If I added that certificate, it's my business, not theirs. They should encrypt bytes and display HTML, not engage in foreign politics.
The problem with "Mozilla should trust the user" is that the threat model itself is users being forced, coerced, or tricked into installing the cert.
Presumptions of user autonomy, consent, or informedness are invalid.
Which means that the bypass process should be highly inconvenient.
I've addressed that separately in a direct response above -- might not be a solution for you, but it's the direction I'd look to. Alternatively, you could look for what Firefox's behaviour in the presence of locally installed certs would be, though as noted above, given the threat model, it largely shouldn't do that.
Keep in mind that a large chunk of Mozilla, Google, and Apple's stance here (and I suspect Microsoft will join them) is that this is a very bad practice of CAs or governments, as not only will the browsers flag this practice, but those certs and a lot of collateral damage will result. This is by all appearances deliberate and a strong message to not do that then, to any governments which are considering similary asshattery.
And failing to respond forcefully to such actions and threats risks compromising all trust whatsover in the browser and CA models. Which are rickety enough as it is. So Mozilla, Google, and Apple most definitely have dogs in this fight as well.
Firefox is open source. You can changing anything in the code instead of demanding that Mozilla compromises everyone's security for your particular case. All you need is 40 Gb of free space on HDD and 4 Gb or more of RAM if I remember correctly. And if you are working for a government organization, they probably have someone who can fix such issues.
Good that they are taking action, however blacklisting that specific CA cert seems like a hacky band aid fix. This is going to end in a cat and mouse game and again shows how broken the whole CA system really is. What I whish they would do is block all “enterprise” CAs and restrict verification chains to end in a list of a few white listed CAs. I understand how disruptive this would be, but in the end it would result in better security for everyone. There are no legitimate reasons for breaking end to end encryption in my opinion.
> I understand how disruptive this would be, but in the end it would result in better security for everyone.
I disagree. I could quite easily see this resulting in companies using old browser versions, or hacking in a potentially exploitable way to get MITM access. An enterprise CA is at least a fairly well-known and understood risk.
I also don't see why I shouldn't be able to have an internal CA for my internal services.
That would result in that browser being banned by my company (amongst many others).
We have a regulatory requirement to prevent any customer data (and a lot of other data) leaving the premises.
Anything which prevents the proxies from scanning all requests to ensure they don't contain regulated data would get blocked very quickly.
There are ways to do this without intercepting HTTPS. Does your company monitor all phone calls looking for Morse code? Does your company monitor all photocopies? All photos taken with phones?
There are reasonable precautions that can be taken and proxying all traffic is a bit of an overkill.
Interestingly, I’m waiting for some IP lawsuit as MITM is technically breaking encryption and breaking encryption for DRM is against the DMCA. So MITM HTTPS traffic to Spotify should be in violation of us copyright law. But I’ve never heard of a case.
MITM in this context is definitely not "breaking encryption". You have two legitimate, untampered-with TLS connections - one from the client to the proxy, one from the proxy to the destination web server. Nobody is breaking encryption used in these connections.
What this might be considered breaking instead is trust.
I think it’s legally grey. The expectation and design of the interaction is that the channel is secure between client and server. The equipment is owned by the company, not the individual. But the license is between the user and Spotify. The company is accessing the IP without a license and only accessed it by bypassing Spotify’s encryption.
I think it’s similar if Safari was MITMing requests without consent from both parties.
Is there anything wrong with a country monitoring the opinions which can be likened to propaganda that people are exposed to online? Every person's opinion is a form of bias, every country has its own law's but who is right? The biggest group of aligned points of view or minority groups with aligned points of view? Why would a tech company like Mozilla or Google want to undermine the legal system in a country?
Why should Mozilla & Google support the legal system of a country?
This is like saying an arms dealer should sell to any government
The government was undermining the security features of the browser. The browser is functioning to mitigate that interception. HTTPS is about having a secure link between client & server, not client & server & government
Many companies do that. That's apparently was OK. So Mozilla fully supports MITM when it's a US company, but it does not supports MITM when it's a foreign government. Talk about double standards.
You can quit working at a company. Most people can't quit living in their countries.
You can keep working at the company, and access company-monitored/blocked sites in your own time with your own devices at home. No such option when the government is mandating monitoring/blocking.
Downvote all you want but this is not good. Mozilla is not above the law. A government has sovreign (!!) rights which lets me spy on their users if they so choose.
You can disagree with it. You can refuse to do business in that country. But to actively work in hostility ti a foreign government is criminal.
I am surprised there are no US laws that would adversley affect Mozilla.
Your views and opinions,however well intended ,they do not supersede a government's legitimate right to govern its citizens.
The only exceptions are human rights violations or crimes against humanity. TLS intetception hardly counts as such. If it does,please prosecute US corporations that intercept TLS before you meddle with a foreign country's practices.
I think people forget that the internet does not supersede geographic boundaries and legitimate (as in accepted as such by other nations) governments.
A government has sovereign rights... within that country. Not outside, though. Why should Mozilla (which is not a Kazakhstan entity) be subject to the laws of Kazakhstan? Should it not be subject to the laws of the US (presuming it is a US entity)?
> I am surprised there are no US laws that would adversley affect Mozilla.
Why should US law be subject to the law of Kazakhstan? That would kind of be a limit on US sovereignty, wouldn't it?
> But to actively work in hostility ti a foreign government is criminal.
No, it's only criminal within that country. If it's a foreign country, then you're not within that country - that's kind of what "foreign" means. I do what I do, paying attention to the laws of my country. I don't pay attention to the laws of other countries, because I'm not subject to them. They can pass all the laws they want. I don't care. I'm not following them, because I'm not there.
(Kazakhstan can, of course, freely prohibit Mozilla within its borders. It certainly has the right to do so.)
> A government has sovereign rights... within that country.
Sovereignty doesn't have bounds on scope, only on applicability. That is, it applies to actions anywhere, by only to things brought within the practical power (which isn’t the same thing as territorial boundaries) of the sovereign.
> Why should Mozilla (which is not a Kazakhstan entity) be subject to the laws of Kazakhstan?
Because there is no superior sovereign over Kazakhstan to say no. That's what sovereignty is ultimately about.
> That would kind of be a limit on US sovereignty, wouldn't it?
That sovereign entities are in a state of perpetual conflict, and hat this conflict is the only limit on the power of sovereigns, is a very old and well-known observation about sovereignty.
> No, it's only criminal within that country.
Very few, if any, countries actually only criminalize conduct within their own territory. Most criminalize some conduct whether or not it's within their own territory, and some (including the US) criminalize certain conduct only if it is outside their own territory. In fact, in some cases there is broad international consensus that nations should criminalize certain conduct even when committed by foreigners in foreign lands.
> > Why should Mozilla (which is not a Kazakhstan entity) be subject to the laws of Kazakhstan?
> Because there is no superior sovereign over Kazakhstan to say no. That's what sovereignty is ultimately about.
But Mozilla doesn't reside in Kazakhstan. So what are you saying? That Kazakhstan can make a rule that has zero real-world effect because they can't enforce it, and because nobody can make them change their rule, they are therefore sovereign?
Which would be relevant if there were a global sovereign and the government of Kazakhstan merely the regional administration beneath it of a particular territory, and if that sovereign made it relevant. Foreign residency alone doesn't immunize one from the rules of a sovereign either in theory or with a sufficiently capable and motivated one, in practice.
> That Kazakhstan can make a rule that has zero real-world effect because they can't enforce it, and because nobody can make them change their rule, they are therefore sovereign?
Close, but not quite. Rather, Kazakhstan, being sovereign, can make whatever rules it wants and is limited in applying them only by practical constraints, mostly those applied by other sovereigns. It may or may not be able to effectively apply it's laws to some conduct beyond it's borders; certainly other sovereign entities have done quite a bit of that.
> Close, but not quite. Rather, Kazakhstan, being sovereign, can make whatever rules it wants and is limited in applying them only by practical constraints, mostly those applied by other sovereigns.
And absent any practical way for them to enforce their rules, no one has any good reason to respect them. Nor does their claim to "sovereignty" give them any kind of moral imperative over the actions of people who do not reside in that country on any philosophical theory of law that I am aware of. So without a practical reason (the threat of force) or a moral imperative (patently non-existent), why should Mozilla comply with their wishes?
If the smallest sovereign state in the world passed a law that said that marriages in the United States were invalid if they were between two people of the same gender, would anyone care? Should they?
What gives a government sovereign rights? Is it the will of it's people? Clearly not, as numerous countries are democracies only in name.
No, it is the power of coercion (tanks and jail cells). De facto, an area where some entity projects uncontested force is a state. And the will of that entity is the law. And anyone who disobeys that will in that area is a criminal (according to the state).
Someone using a position of power to do things to others that are powerless to resist is bullying, plain and simple. Do bullies have a "sovereign right"? Should bullying not be resisted? What is the difference with dictatorships but in scale? Data collected from mass surveillance can be used for many ends far from benign.
Kazakhstan's government is free to exercise their sovereignty and ban people from downloading Firefox there, if they want. Sovereignty does not entail being able to force foreign software developers to help you be totalitarian.
If they have the ability,they can invade the US and force mozilla to trust the CA.
This applies to mozilla because it explicitly interfered against the legitimate practices of the Kazakhistan government. Their reasoning and intent is not simply a violation of rules but rather to protect citizens of Kazakhistan against their own govenment. For that reason,this is a violation and interference against a sovreign nation's internal affairs.
Not sure what counts as human rights in your book, but to me freedom of speech and a right to privacy are among them. I’m glad some companies stepped up to protect their users from their authoritarian government as a matter if principle. It shows that corporate values can do good.
None of those are rights inherent to a human being. As can be showcased by almost every non-democratic government of every civilization in history.
If you invented it,it's a right you're enforcing on your own initiative. Human rights are self-evident and widely accepted across cultural boundaries. Which why they are universally accepted as human rights.
The criteria here is ability for the majority of humans to agree that after obsetvation if historical practices against modern context something can be considered a right a person enjoys just for being human.
Freedom of speech is a right you enjoy for living in a country that allows it. It's not a right you attained for being a human but because some people signed the bill of rights (for americans).
Article 12 and 19 of the UN Human Rights Charter [1]:
No one shall be subjected to arbitrary interference with
his privacy, family, home or correspondence, nor to
attacks upon his honour and reputation. Everyone has
the right to the protection of the law against such
interference or attacks.
Everyone has the right to freedom of opinion and
expression; this right includes freedom to hold
opinions without interference and to seek, receive
and impart information and ideas through any media
and regardless of frontiers.
Just because some countries happen do have "historical practices" of violating human rights doesn't mean they have a right to keep violating them.
You are wrong in your understanding as well. The human rights charter is not legally binding and it was signed by only 48 of the initial UN members.
It merely reflects the beleiefs of some UN memebers at the time. I think in the end,if national sovreignity means anything at all then human rights is defined by each nation's laws.
For example, if Germany invaded the US to liberate americans from lack of universal healthcare which they as a nation consider to be a human right for americans are they justified?
If you believe so then yes what mozilla did is alright. My argument is,for it to be a human right,you need historical precedence and universal (not a mere majority) acceptance. It is a right you attain simply for being human and nothing more.
Let me take it a step further,if a prisoner's privacy is taken away (which is the case in every prison) then is that person's human right beinf violated every day? If so,please let's talk about that because you lose privacy for being arrested even without a trial or conviction!
Uhm... Since when is it bad for an entity in one country to stop working in another country because of ethical worries? Mozilla's ethics do not approve of how a given CA entity uses their power and so they are saying they will not trust their certificates. I certainly applaud them for that.
Even if they have the right ti revoke a certificate,their reason cannot be to protect citizens of a country against their own government. That is insulting the citizens of the country,they get to decide if their government is violating their rights.
The reasoning and argument is what I disagree with,not Mozilla's rights as a US company.
Non-zero amount of work, negative benefit. Even wholly illegitimate states, such as Kazakhstan's, investigate legitimate crimes from time to time, and such an attempt would zero out any chance that government would otherwise have of extraditing someone who committed one.
Benefit is to set an international precedent where random citizens or corporations hostility can be accounted for or ignored. The benefit is political.
I never installed that certificate and had to use VPN during this time. Still some of the people have connection issues with certain sites like facebook, gmail, etc.
Some of the companies had sued government and mobile carriers for that connection issues.
In my opinion Mozilla and Google made a right decision, there is a lot of talks of how good is Kazakhstan now for doing business, the taxes are low, it's easy to get a visas for foreigner employees, and by doing this they are losing trust to themselves.
I don't think they will manage to make a fork of some of the browsers, simply because level of the our software production is kinda low, especially in goverment sector, and people will definitely not use the browser if they will attempt to make one, they will manage to use VPN and will find other ways to just use the "normal" software.