Closed
Bug 1229827
Opened 9 years ago
Closed 8 years ago
Kazakhstan to MITM all HTTPS traffic
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: phr-mozilla, Assigned: kathleen.a.wilson)
References
(Blocks 1 open bug)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0 Build ID: 20151029151421 Steps to reproduce: Raising issue described here: http://telecom.kz/en/news/view/18729 Actual results: The measure is not yet in force but the Kazakhstan government has announced plans to require all KZ internet users to install a special "national security certificate" in their browsers, so that KZ Telecom can MITM the traffic. This also affects browsers and software other than Firefox. Expected results: Not sure. One idea is add some kind of patch that prevents Firefox from accepting the certificate, or otherwise respond to the MITM. Another is to do nothing. In any case the developers should be aware of this. Not a Firefox bug per se, but I'm not sure where else to put this. The RFE category seems to be gone?
Reporter | ||
Comment 1•9 years ago
|
||
Forgot to add-- I saw this through a HN discussion: https://news.ycombinator.com/item?id=10663843
Updated•9 years ago
|
Assignee: nobody → kwilson
Component: Untriaged → CA Certificates
Product: Firefox → mozilla.org
Version: 42 Branch → other
Comment 3•8 years ago
|
||
gerv/kwilson: is there anything we can (want to) do about this, perhaps in conjunction with other browsers?
Flags: needinfo?(kwilson)
Flags: needinfo?(gerv)
Comment 4•8 years ago
|
||
I think this certificate and any feature attempts to do so (with new certificates)should be banned, by adding this certificates to internal browser ban list.
Comment 5•8 years ago
|
||
My understanding is that they backed away from this approach; can anyone provide confirmation one way or another? Gerv
Flags: needinfo?(gerv)
Comment 6•8 years ago
|
||
Kazakhstan ISP provider and mobile network providers (Beeline Kazakhstan) still actively pushing this. Official post from one of major Kazakhstan mobile network provider (liks to certificate disabled): https://www.beeline.kz/ru/mobile_help/sertificatofsecurity
Comment 7•8 years ago
|
||
They have removed page about this ROOT CA for MitM atacks (after I submit bug reports to Mizilla and Google): http://telecom.kz/certificate Looks like the are trying to hide this issue from world. But it still available in Google cache: http://webcache.googleusercontent.com/search?q=cache:ezbYk9XPY5kJ:telecom.kz/certificate+&cd=1&hl=ru&ct=clnk Moreover I have found they asking Mozilla to add this ROOT certificate as trusted to new browser builds. So they will be able do MitM atacks more easily, no need to ask users add this CA manually.
Comment 8•8 years ago
|
||
(In reply to Gervase Markham [:gerv] from comment #5) > My understanding is that they backed away from this approach; can anyone > provide confirmation one way or another? > > Gerv The dupe (bug 1281265) listed telekom.kz/certificate , which when I looked at it yesterday still seemed to confirm it. I kid you not, today it is a 404 (but it has a cat! :-) ). Here's the wayback machine's copy, also from yesterday (which is a bit uncanny...): http://web.archive.org/web/20160621170834/http://telecom.kz/certificate . Chucking that through google translate was what I based the needinfo on. I just tried, and I can't find any plausible denial/confirmation of what's going on (which might be my non-existent Russian/Kazakh skills, but there we are).
Comment 9•8 years ago
|
||
(In reply to :Gijs Kruitbosch from comment #8) > (In reply to Gervase Markham [:gerv] from comment #5) > > My understanding is that they backed away from this approach; can anyone > > provide confirmation one way or another? > > > > Gerv > > The dupe (bug 1281265) listed telekom.kz/certificate , which when I looked > at it yesterday still seemed to confirm it. I kid you not, today it is a 404 > (but it has a cat! :-) ). Here's the wayback machine's copy, also from > yesterday (which is a bit uncanny...): > http://web.archive.org/web/20160621170834/http://telecom.kz/certificate . > Chucking that through google translate was what I based the needinfo on. I > just tried, and I can't find any plausible denial/confirmation of what's > going on (which might be my non-existent Russian/Kazakh skills, but there we > are). For me looks like they removed this official publication from major ISP site after I actively post this issue to several bug trackers. Probably it also related to some post's about this issue in Internet (which is in russian mostly).
Assignee | ||
Comment 10•8 years ago
|
||
clearing my needinfo on this bug. I don't think there is any action for Mozilla to take on this, other than to not move forward with Bug #1232689.
Flags: needinfo?(kwilson)
Comment 11•8 years ago
|
||
This bug doesn't request any specific action; resolving. Gerv
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•