Seems like something happen early Friday morning.[1]
[1] https://censoredplanet.org/kazakhstan/live
On Sun, Jul 28, 2019 at 2:43 PM John Erling Blad jeblad@gmail.com wrote:
You are right. “Firefox and Chrome disable pin validation for pinned hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored.” [1]
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
On Sun, Jul 28, 2019 at 2:07 PM Alex Monk krenair@gmail.com wrote:
Correct me if I'm wrong but I believe browsers always ignored HPKP rules when presented with a cert signed by a CA that is locally installed rather than default.
On Sun, 28 Jul 2019, 12:58 John Erling Blad, jeblad@gmail.com wrote:
The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the MITM attack possible, by forcing the users to install the root
certificate,
as many of the sites listed has been on the HPKP list. With HPKP in
place
the scheme would be somewhat harder to implement.
[1] https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438
On Fri, Jul 26, 2019 at 3:05 PM Yury Bulka < setthemfree@privacyrequired.com> wrote:
I don't see any position from Mozilla on this yet: https://bugzilla.mozilla.org/show_bug.cgi?id=1567114
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhAC...
Couldn't find anything about Google Chrome.
Meanwhile, I have emailed security@wikimedia.org with a link to this discussion (hope it's not a terribly inappropriate thing to do).
I'd be great to hear from WMF about their view on this.
Best, Yury.
Yury Bulka setthemfree@privacyrequired.com writes:
I'm not in Kazakhstan and am not in directly touch with any of wikimedians there, so I don't know their position.
However, I'm not sure how much freedom they have in expressing their honest opinion about this publicly. Simply because it is always a pros-and-cons calculation to criticise your local goverment in such situations.
Yaroslav Blanter ymbalt@gmail.com writes:
I do not think Kazakhstan has a chapter. In the past, some Kazakh Wikimedians enjoyed close collaboration with the government (for
example,
the Kazakhstani Encyclopedia has been released under a free license
and
verbatim copied to the Kazakh Wikipedia, so that I do not expect
much.
Cheers Yaroslav
On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend <
homesec1783@gmail.com
wrote:
> Yury > > What is the position of the Kazakhstan chapter on this? > > The Turnip > > On Sun, 21 Jul 2019 at 11:36, Yury Bulka > setthemfree@privacyrequired.com wrote: > > > > I'm sure many have heard about this: > > >
https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> > > > Essentially, the government in Kazakhstan started forcing
citizens
into
> > installing a root TLS certificate on their devices that would
allow
the
> > government to intercept, decrypt and manipulate all HTTPS
traffic.
> > > > Without the centificate, it seems, citizens can't access HTTPS
pages
(at
> > least on some ISPs). > > > > I think this has serious implications for Wikipedia &
Wikimedia, as
not
> > only they would be easily able to see which articles people
read,
but
> > also steal login credentials, depseudonymize people and even
hijack
> > admin accounts. > > > > Another danger is that if this effort by Kazakhstan will
succeed,
other
> > governments may start doing the same. > > > > I wonder if WMF has any position on this yet? > > > > Best, > > Yury. > > > > _______________________________________________ > > Wikimedia-l mailing list, guidelines at: > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > https://meta.wikimedia.org/wiki/Wikimedia-l > > New messages to: Wikimedia-l@lists.wikimedia.org > > Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:wikimedia-l-request@lists.wikimedia.org
?subject=unsubscribe>
> > _______________________________________________ > Wikimedia-l mailing list, guidelines at: > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and > https://meta.wikimedia.org/wiki/Wikimedia-l > New messages to: Wikimedia-l@lists.wikimedia.org > Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:wikimedia-l-request@lists.wikimedia.org
?subject=unsubscribe>
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
,
mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
,
mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe