That's shocking...
> I think this has serious implications for
Wikipedia & Wikimedia, as not
> only they would be easily able to see which articles people read, but
> also steal login credentials, depseudonymize people and even hijack
> admin accounts.
Yes, they can de-crypt the traffic. Hopefully browser vendors will disallow the root
certificate.
IMHO there isn't much WP can do, expect showing a warning if somebody is trying to
login
from the country in question.
--Steinsplitter
________________________________
Von: Wikimedia-l <wikimedia-l-bounces(a)lists.wikimedia.org> im Auftrag von Yury Bulka
<setthemfree(a)privacyrequired.com>
Gesendet: Sonntag, 21. Juli 2019 12:36
An: wikimedia-l(a)lists.wikimedia.org <wikimedia-l(a)lists.wikimedia.org>
Betreff: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan
I'm sure many have heard about this:
https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
Essentially, the government in Kazakhstan started forcing citizens into
installing a root TLS certificate on their devices that would allow the
government to intercept, decrypt and manipulate all HTTPS traffic.
Without the centificate, it seems, citizens can't access HTTPS pages (at
least on some ISPs).
I think this has serious implications for Wikipedia & Wikimedia, as not
only they would be easily able to see which articles people read, but
also steal login credentials, depseudonymize people and even hijack
admin accounts.
Another danger is that if this effort by Kazakhstan will succeed, other
governments may start doing the same.
I wonder if WMF has any position on this yet?
Best,
Yury.
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>