MITM in Kazakhstan
Categories
(Core :: Security Block-lists, Allow-lists, and other State, enhancement)
Tracking
()
People
(Reporter: sanitisedemail, Assigned: kathleen.a.wilson)
References
(Blocks 1 open bug)
Details
(Whiteboard: [ca-onecrl] )
Attachments
(1 file)
|
2.12 KB,
application/pkix-cert
|
Details |
+++ This bug was initially created as a clone of Bug #1680922 +++
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Actual results:
06.12.2020 will be exercises on "security". And will be tests with CA from government.
https://www.gov.kz/memleket/entities/mdai/press/news/details/132113?lang=ru https://www.kcell.kz/ru/product/trust-certificate
https://www.tele2.kz/support/sertificat
Expected results:
I think Mozilla must add it for blacklist(blocklist).
Proofs at RIPE Atlas Probe 6745 (Located in Kazakhstan, Nur-Sultan (ex. Astana)): https://atlas.ripe.net/frames/measurements/28334289/#!probes
|
Reporter | |
Comment 2•4 years ago
|
||
|
||
Comment 5•4 years ago
|
||
twitter.com is affected as well. That's observed from RIPE Atlas Probe 6745: https://atlas.ripe.net/measurements/28334941/#probes
|
||
Comment 6•4 years ago
|
||
Thanks for filing this! I'm moving it into the right component for blocklist consideration, so the right group will see this bug.
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 7•4 years ago
|
||
|
|
Assignee | |
Comment 8•4 years ago
|
||
|
|
Assignee | |
Comment 9•4 years ago
|
||
== Certificate Information ==
Country: KZ
Common Name: Information Security Certification Authority CA
Valid From: 2020-02-28T04:08:03Z
Valid To: 2040-02-28T04:08:03Z
Serial Number: 287dce0ce3c6f7aaa33ff965e76ea98c824a59db
SHA-256 Fingerprint: 61C0FC2E38B5B6F9071B42CEE54A9013D858B6697C68B460948551B3249576A1
SHA-1 Fingerprint: EE45853E5C81DB8FDBB7F92C18B20972C744911C
|
|
Assignee | |
Updated•4 years ago
|
|
||
Comment 10•4 years ago
|
||
[11:21:50] Stage-Stage: 1305 Stage-Preview: 1305 Stage-Published: 1305 compare.py:67
Prod-Stage: 1305 Prod-Preview: 1305 Prod-Published: 1304 compare.py:75
[11:21:51] Verifying stage against preview compare.py:82
stage/security-state-staging (1305) and stage/security-state-preview (1305) are equivalent compare.py:87
stage/security-state-staging (1305) and prod/security-state-staging (1305) are equivalent compare.py:87
stage/security-state-staging (1305) and prod/security-state-preview (1305) are equivalent compare.py:87
stage/security-state-preview (1305) and prod/security-state-staging (1305) are equivalent compare.py:87
[11:21:52] stage/security-state-preview (1305) and prod/security-state-preview (1305) are equivalent compare.py:87
prod/security-state-staging (1305) and prod/security-state-preview (1305) are equivalent compare.py:87
No changes are waiting in staging compare.py:90
There are 1 changes waiting in production. Adding: compare.py:99
{
'details': {'bug': '1680927', 'who': 'dkeeler@mozilla.com', 'why': 'Kazakhstan MITM (#3)', 'name': 'Information Security Certification Authority CA', 'created': '2020-12-07T23:52:21Z'},
'enabled': True,
'issuerName': 'MFYxODA2BgNVBAMTL0luZm9ybWF0aW9uIFNlY3VyaXR5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IENBMQ0wCwYDVQQKEwRJU0NBMQswCQYDVQQGEwJLWg==',
'serialNumber': 'KH3ODOPG96qjP/ll526pjIJKWds='
}
Staging is updated, and production changes are waiting, so Firefox can use compare.py:110
Remote Settings DevTools (https://github.com/mozilla-extensions/remote-settings-devtools)
and cert-storage-inspector (https://github.com/mozkeeler/cert-storage-inspector) to test
OneCRL.
|
||
Comment 11•4 years ago
|
||
Can you also add the https://check.isca.gov.kz/ address to the the black list (Phishing and Malware Protection) please.
|
|
Assignee | |
Comment 12•4 years ago
|
||
This root was added to OneCRL in December.
https://blog.mozilla.org/netpolicy/2020/12/18/kazakhstan-root-2020/
Description
•