The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the MITM attack possible, by forcing the users to install the root certificate, as many of the sites listed has been on the HPKP list. With HPKP in place the scheme would be somewhat harder to implement.
[1] https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438
On Fri, Jul 26, 2019 at 3:05 PM Yury Bulka setthemfree@privacyrequired.com wrote:
I don't see any position from Mozilla on this yet: https://bugzilla.mozilla.org/show_bug.cgi?id=1567114
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhAC...
Couldn't find anything about Google Chrome.
Meanwhile, I have emailed security@wikimedia.org with a link to this discussion (hope it's not a terribly inappropriate thing to do).
I'd be great to hear from WMF about their view on this.
Best, Yury.
Yury Bulka setthemfree@privacyrequired.com writes:
I'm not in Kazakhstan and am not in directly touch with any of wikimedians there, so I don't know their position.
However, I'm not sure how much freedom they have in expressing their honest opinion about this publicly. Simply because it is always a pros-and-cons calculation to criticise your local goverment in such situations.
Yaroslav Blanter ymbalt@gmail.com writes:
I do not think Kazakhstan has a chapter. In the past, some Kazakh Wikimedians enjoyed close collaboration with the government (for
example,
the Kazakhstani Encyclopedia has been released under a free license and verbatim copied to the Kazakh Wikipedia, so that I do not expect much.
Cheers Yaroslav
On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend <homesec1783@gmail.com
wrote:
Yury
What is the position of the Kazakhstan chapter on this?
The Turnip
On Sun, 21 Jul 2019 at 11:36, Yury Bulka setthemfree@privacyrequired.com wrote:
I'm sure many have heard about this:
https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
Essentially, the government in Kazakhstan started forcing citizens
into
installing a root TLS certificate on their devices that would allow
the
government to intercept, decrypt and manipulate all HTTPS traffic.
Without the centificate, it seems, citizens can't access HTTPS pages
(at
least on some ISPs).
I think this has serious implications for Wikipedia & Wikimedia, as
not
only they would be easily able to see which articles people read, but also steal login credentials, depseudonymize people and even hijack admin accounts.
Another danger is that if this effort by Kazakhstan will succeed,
other
governments may start doing the same.
I wonder if WMF has any position on this yet?
Best, Yury.
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe