[Wikimedia-l] prism and certificate authorities, snooping https
Matthew Flaschen
matthew.flaschen at gatech.edu
Sun Jun 16 18:59:07 UTC 2013
On 06/15/2013 05:48 PM, rupert THURNER wrote:
> the conclusion is also interesting:
> when a company that uses a certificate authority located in a
> country different than the one in which it holds user data, it
> needlessly exposes users’ data to the compelled disclosure by an
> additional government.
>
> so, by getting the certificates from digicert, the traffic can easier
> be snooped by the u.s. government. and only u.s. citizens are
> protected by u.s. law. this gives a lot of trust :)
Your quote ("when a company that uses a certificate authority located in
a country different than the one in which it holds user data") warns of
what happens when you use a *foreign* (not the same as where the servers
are) cert. Wikimedia uses DigiCert, a provider in the same country,
exactly what that recommends.
Your statement that "the traffic can easier be snooped by the u.s.
government" is false. If Wikimedia received a secret U.S. court order
to turn over certain data, the certificate would make no difference,
since the headquarters and servers are already in the U.S.
But using a U.S. provider reduces the WMF's vulnerability to additional
governments.
Matt Flaschen
More information about the Wikimedia-l
mailing list