displaying a warning that there is a MITM which reads all passwords and
banking information sounds nice, yuri. there even seems to be ways to
detect this client-server side:
-
you mean something like this would do, yury?
george, the trusted root certificates would be configurable, usually, like
for chrome here:
companies pay money to get into this list, so they can easier sell their
website certificates. closing down the list for sure leads to some
anti-trust legal action in other countries.
btw, recently there was a blog post from a developer in iran, saying the
same :
this had an even more surprising aspect - not only would the country block
access to some site - but sites itself decided to remove users having a
relationship with that country:
"Slack team, decided to join the sanctions. They simply deleted every
single user who they found out is Iranian! With no real prior notices! Many
people has lost their data on Slack and no one was going to do anything!"
rupert
On Mon, Jul 22, 2019 at 7:05 PM George Herbert <george.herbert(a)gmail.com>
wrote:
Browser vendors could revoke the root that Kazakh
authorities are using for
the scheme.
On Mon, Jul 22, 2019 at 5:35 AM Yuri Astrakhan <yuriastrakhan(a)gmail.com>
wrote:
I don't think browser vendors will block the
ability to install a custom
root certificate because some corp clients may use it for exactly the
same
reason -- creating an HTTPS proxy with fake certs
in order to analyze
internal traffic (in the name of monitoring/security).
Browser vendors could make it more difficult to install, so that it would
require the corp IT department to do some magic, or even release two
versions of the browser - corp and general (with blocked uncertified root
certs), but at the end of the day those could be worked around.
The biggest deterrent in my opinion is to educating the users of the
dangers such certs would do (i.e. all your passwords and bank info will
be
viewable by ISPs) - thus it would be social
rather than purely technical
solution.
On Mon, Jul 22, 2019 at 1:33 PM Steinsplitter Wiki <
steinsplitter(a)wikipedia.de> wrote:
That's shocking...
>> I think this has serious implications for Wikipedia & Wikimedia, as
not
> >> only they would be easily able to see which articles people read,
but
> >> also steal login credentials,
depseudonymize people and even hijack
> >> admin accounts.
>
> Yes, they can de-crypt the traffic. Hopefully browser vendors will
> disallow the root certificate.
> IMHO there isn't much WP can do, expect showing a warning if somebody
is
trying to
login
from the country in question.
--Steinsplitter
________________________________
Von: Wikimedia-l <wikimedia-l-bounces(a)lists.wikimedia.org> im Auftrag
von
Yury Bulka
<setthemfree(a)privacyrequired.com>
Gesendet: Sonntag, 21. Juli 2019 12:36
An: wikimedia-l(a)lists.wikimedia.org <wikimedia-l(a)lists.wikimedia.org>
Betreff: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan
I'm sure many have heard about this:
https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
>
> Essentially, the government in Kazakhstan started forcing citizens into
> installing a root TLS certificate on their devices that would allow the
> government to intercept, decrypt and manipulate all HTTPS traffic.
>
> Without the centificate, it seems, citizens can't access HTTPS pages
(at
least on
some ISPs).
I think this has serious implications for Wikipedia & Wikimedia, as not
only they would be easily able to see which articles people read, but
also steal login credentials, depseudonymize people and even hijack
admin accounts.
Another danger is that if this effort by Kazakhstan will succeed, other
governments may start doing the same.
I wonder if WMF has any position on this yet?
Best,
Yury.
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
--
-george william herbert
george.herbert(a)gmail.com
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>