FYI, it seems Wikimedia is not being intercepted at the moment.
Of course, that may change.
It may also be relevant that Wikimedia uses HSTS, and that will make it
difficult for users to access the sites with intercepted certificates if
they have accessed the sites previously.
Chico Venancio
Em dom, 28 de jul de 2019 08:58, John Erling Blad <jeblad(a)gmail.com>
escreveu:
The Kazakhstan MITM could be stopped by HTTP Public
Key Pinning [1], but
Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the
MITM attack possible, by forcing the users to install the root certificate,
as many of the sites listed has been on the HPKP list. With HPKP in place
the scheme would be somewhat harder to implement.
[1]
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
[2]
https://bugzilla.mozilla.org/show_bug.cgi?id=1412438
On Fri, Jul 26, 2019 at 3:05 PM Yury Bulka <
setthemfree(a)privacyrequired.com>
wrote:
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhA…
Couldn't find anything about Google Chrome.
Meanwhile, I have emailed security(a)wikimedia.org with a link to this
discussion (hope it's not a terribly inappropriate thing to do).
I'd be great to hear from WMF about their view on this.
Best,
Yury.
Yury Bulka <setthemfree(a)privacyrequired.com> writes:
I'm not in Kazakhstan and am not in directly
touch with any of
wikimedians there, so I don't know their position.
However, I'm not sure how much freedom they have in expressing their
honest opinion about this publicly. Simply because it is always a
pros-and-cons calculation to criticise your local goverment in such
situations.
Yaroslav Blanter <ymbalt(a)gmail.com> writes:
> I do not think Kazakhstan has a chapter. In the past, some Kazakh
> Wikimedians enjoyed close collaboration with the government (for
example,
>> the Kazakhstani Encyclopedia has been released under a free license
and
>> verbatim copied to the Kazakh Wikipedia,
so that I do not expect much.
>>
>> Cheers
>> Yaroslav
>>
>> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend <
homesec1783(a)gmail.com
> wrote:
>
>> Yury
>>
>> What is the position of the Kazakhstan chapter on this?
>>
>> The Turnip
>>
>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka
>> <setthemfree(a)privacyrequired.com> wrote:
>> >
>> > I'm sure many have heard about this:
>> >
>>
https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
>>
>
>> > Essentially, the government in Kazakhstan started forcing citizens
into
>> > installing a root TLS certificate on
their devices that would allow
the
>>> > government to intercept, decrypt and manipulate all HTTPS traffic.
>>> >
>>> > Without the centificate, it seems, citizens can't access HTTPS
pages
(at
>> > least on some ISPs).
>> >
>> > I think this has serious implications for Wikipedia & Wikimedia, as
not
>>> > only they would be easily able to see which articles people read,
but
>>
> also steal login credentials, depseudonymize people and even hijack
>> > admin accounts.
>> >
>> > Another danger is that if this effort by Kazakhstan will succeed,
other
>> > governments may start doing the
same.
>> >
>> > I wonder if WMF has any position on this yet?
>> >
>> > Best,
>> > Yury.
>> >
>> > _______________________________________________
>> > Wikimedia-l mailing list, guidelines at:
>>
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>>
https://meta.wikimedia.org/wiki/Wikimedia-l
>> > New messages to: Wikimedia-l(a)lists.wikimedia.org
>> > Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>>> <mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
>>>
>>> _______________________________________________
>>> Wikimedia-l mailing list, guidelines at:
>>>
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>>>
https://meta.wikimedia.org/wiki/Wikimedia-l
>>> New messages to: Wikimedia-l(a)lists.wikimedia.org
>>> Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>>
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
https://meta.wikimedia.org/wiki/Wikimedia-l
>> New messages to: Wikimedia-l(a)lists.wikimedia.org
>> Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>