709
linuxxx
6y

So, someone submitted a 'bug' to Mozilla.

As some of you may know, in the next year, the new mass surveillance law in the Netherlands is going into effect.

Another fun fact is that the dutch security agencies/government have their own CA (Certificate Authority) for SSL/TLS certificates.

The new law says that the AIVD (dutch NSA/GCHQ equivilant) is allowed to hack into systems through obtained certificates and also that they're allowed to INTERCEPT TRAFFIC THROUGH OBTAINED PRIVATE SSL/TLS KEYS.

So someone actually had the fucking balls to submit a fucking issue to Mozilla saying that the Dutch State certs shouldn't be accepted anymore when the new mass surveillance law gets into place.

This person deservers a fucking medal if you ask me.

Comments
  • 157
    That person should become president of the Netherlands so he can fix this shit
  • 114
    Not all heroes wear capes!
  • 17
    dpkg-reconfigure: I already trust 134, your new list has 127
    😀
  • 12
    Does anyone know how many sites have SSL under the Dutch root certificate?
  • 8
    @SZenC No clue tbh
  • 27
    So this is how that dystopian future looks like, pretty fucked up if you ask me ...
  • 9
    Do you have a link to the bug report?
  • 10
    @catintroholic Yup.
  • 5
  • 7
    @Condor You can use any you want if you have the money :)
  • 8
    @Condor I don't think the law requires that, but if a site is signed by a Dutch CA, you're out of luck
  • 10
    That person has my full respec
  • 7
    Haha damn, if he didn't use a throw away account i need to talk to this guy cause he doesn't give a damn
  • 5
    That's awesome! :D
  • 6
    But why are they putting such a law in place ?
  • 16
    @neelgeek knowing governments "to protect against terrorist"
  • 4
    @PerfectAsshole Bt seeing the current situation in Europe,I feel its ok to do this. If something bad happens,ppl r gonna blame the gov. finally.
  • 6
    @linuxxx I've meant to mention this for a while: If you want a horror story, watch the last episode of Black Mirror in season 3.
  • 4
    The fucking man! 👊🏼
  • 9
    Who’s down to form their own CA. Fully transparent and trustworthy?
  • 9
    @neelgeek there are ways to do that without becoming a survalance state, besides i can bet that it won't stop anything cause most terrorist probably use throwaway phones using the darknet anyway so the only people that are going to suffer are the people doing minor crimes while the ones they need to catch get away.

    As for an alternative for a survalance state, try to educate the public in what to look for and open up an online anonymous tip site. As long as they make it truely anonymous even if they got abunch of spam tips it would still be less to filter through than tracking everybody
  • 7
    @Condor how did we get on the topic of hacking? Data can be decrypted as long as the goverment has the master private key which means not a damn thing needs to be hacked for them to view all traffic as if it was plaintext over http.
  • 4
    @linuxxx could you please share the Bugzilla link? I can initiate some interesting conversations in the communities
  • 11
    I fully agree that certs provided by an insecure entity should not be accepted by browsers. It's only logical that the CA gets banned. Don't know why it's medal deserving bravery. It is just a very good and early catch!

    Governments should pay for there own stupidity. I hope that they have to maintain there own browser to make there sites usable. The government's and parties sites often do not comply to cookie law (even the ones trying to scare people into believing how important it is) they should be the first to be pay a hefty fine.
  • 4
    Could anyone post a link to the page? Can't find it.
  • 9
    Here's the bugzilla link I assume @linuxxx is referring to :)
    https://bugzilla.mozilla.org/show_b...
  • 3
    @Python Nice, thank you!
  • 7
    @Bitwise

    It IS pretty big news in the security community.

    https://bleepingcomputer.com/news/...

    All Dutch government websites use this CA. In the Netherlands every citizen has a "DigID", a two factor oauth-like login which is used for everything, from submitting taxes to getting student loans and healthcare subsidies, from municipal permits to managing pension payouts.

    This CA is not where you buy a certificate for your own website, it's a certificate for the government use only.

    All governmental web traffic is encrypted using this CA, so if it's dropped from one of the major browsers as untrusted it would be a big deal.

    And this actually happened before! DigiNotar was the previous CA, and they had a breach, so they were instantly dropped by all browsers. It was quite chaotic, security wise, because suddenly the tax agency website was blocked.
  • 3
    @linuxxx what the actual fuck! I can't believe governments make this shit up our of thin air and expect people to adhere to it... you've educated me today I didn't know they had their own certs and then tried to nail people based on it.
    I wasn't asking you Before, but I am now ;)
  • 4
    @Condor yeah that was the point of what i was saying, they're not going to catch the people they want by screwing up https, the only people that are going to suffer are the normal people who use the internet for basic stuff
  • 6
    @Condor The problem is that certificates are not (just) about encryption, they are about TRUST, they are about guaranteeing that an organization is authentic. A malicious user can encrypt data and pretend to be a bank, that doesn't make them a bank.

    You can encrypt data and exchange keys, but for the receiver to be sure that the signature truly belongs to a REAL person or organization you need an authority.

    The problem here isn't that you and I can't send OTR chat messages to each other, it's that our "NSA" is allowed to set up man in the middle traps using government certificates, effectively breaching the trust between user and CA.

    This means browsers can't trust the government CA for any website anymore because they have to protect their users against forged certificates.

    Which in turn means that end users can't trust valid government websites anymore, such as the one they use to pay their taxes.
  • 3
    @linuxxx @bittersweet Could the Dutch government technically force Mozilla (and other browser & OS vendors) to add their CA to the trusted CA store?
  • 3
    @PonySlaystation That would be difficult. Browsers and operating systems can freely decide who they mark as trusted, and usually have fairly strict rules, such as physical audits by webtrust and ETSI, specifying everything from building security and alarm systems to personnel background screening and passport checks.

    A CA office tends to be somewhat of a military bunker for that reason — and that is also the reason why certificates cost money in the first place.
  • 3
    @Jop- Mozilla not being a Dutch organization, our government could only advice against the use of the browser.
  • 2
    @Condor If a CA is compromised, that is a problem, the intruder would be indistinguishable from you in a man in the middle attack.

    A good CA needs to verify at the very least that you own the domain, and for many types of certificates you also need to prove that you own a company using a passport and chamber of commerce documents.
  • 2
    Link me the big report going to up vote it, also going to submit the same request on every other browser
  • 4
  • 4
    @linuxxx Just reported it to Vivaldi, Will do chrome to
  • 2
  • 5
  • 2
  • 2
    @Bitwise If you control the CA certificate, you can easily do MitM attacks on any web pages which use certificates which are certified by that CA.

    It's a big security issue if a CA holder officially says, he is disgusting don't just that.
  • 6
    @Bitwise

    The problem is not that they would MitM their own sites.

    The problem is that an intelligence agency could legally use the CA to create forged-but-trusted certificates for Facebook for example, and set up a MitM. The new law is a dragnet law, and allows for this to happen at a large scale.

    That means browsers, if they have their user's best interests at heart, SHOULD distrust these certificates, because they don't comply with the rules.

    That, in turn, means that these certificates will not be trusted for VALID websites like those of municipalities and the tax agency anymore.
  • 3
    @Bitwise

    And that, in turn, means you can't easily trust the tax agency anymore, until they switch to a foreign, trusted CA again.
  • 3
    @Bitwise If a browser adds a CA to the list of trusted issuers, that CA holds a lot of power.

    The certificate authority is the one responsible for verifying ownership, but a compromised one can issue a certificate for literally any website.

    Suddenly, you could visit "devrant.com", with a nice green "secure connection" lock -- and only if you click a few times you notice it's issued by "KPN B.V." instead of "Comodo CA Ltd".
  • 1
    Upvote to get it higher on the list
    https://bugs.chromium.org/p/...
  • 1
    @inpothet Do I need a google account for that?
  • 1
    Mabye, just use a burner account
  • 1
    @linuxxx can't find the start button atm
  • 6
    1984 was not intended to be a manual...
  • 13
    @Nosferatu But the ones in power do use it as such.

    You give them ideas, they abuse them for their own gains. That's how it usually goes with them.
  • 1
    Chrome won't do a thing untill they do 1 bad cert
  • 1
    You know i just thought of something if you use hsts this should be mitigated cause they would need to get your private key for hsts to not trigger. So if nothing else when the law takes effect and if the browsers don't remove the master certs a few plugins can be written to show a warning on those sites without hsts
  • 2
    I'd only let an A.I to spy me. Without any human intervention and its parameters to classify someone as a potential threat should be checked by a global committe formed by tech geniuses...dunno like Musk and Woz.
  • 2
    @alanbal888 There are massive problems with AI classifying humans into threat levels, you know...
  • 3
    @theCalcaholic I don't know the current state of A.I on classifying humans, perhaps in the future they'll get more clever. Also. I'm not saying that we'd provide robots with guns. Just classify then and then bring the target to an actual human analyst.
  • 2
    @alanbal888 The problems I'm talking about are inherent. AIs don't deduct, they learn and apply patterns. Even if you were to just observe a person based on an AI's clarification (without any kind of further proof) that would a strong intrusion into that persons privacy.

    An AI will find any patterns for crimes: You feed it with statistical data and it will tell you that all persons who are black, male, poor should be observed.

    What I'm saying is: an AI can never differentiate between correlation and causality. This kind of machine learning is already applied in some areas (e. g. New York if I recall correctly) and it had the described problems.

    As someone who works with ML let me tell you, that these can't be easily solved - probably not at all.
    It's how we humans make decisions and it works well enough, but we have abstracted decision systems in place (in science, law, etc), because they don't really lead to truth.
  • 3
    @theCalcaholic I see. Still, I'm more hopeful for this kind of systems to evolve into a more efficient one and helps fight and prevent all kinds of crimes than politicians stopping being corrupt. I dunno, perhaps I've seen too much Winter Soldier. But surveillance is (for me) a better idea if it's a machine.
  • 1
    I don't get it. This would be my first thought because it is definitely an issue.
  • 3
    @linuxxx I just read this morning that Mozilla is now seriously considering revoking any certificates from the Dutch Government :D
  • 2
    @Drillan767 chromium/google wasn't as helpful https://bugs.chromium.org/p/...
  • 2
  • 2
    @Drillan767 btw I did the report to google/chromium
  • 1
    This honestly seems like a stand I could see Mozilla making, in one manner or another
  • 2
    @linuxxx letsencrypt is pretty cool 🤩
  • 3
    Ik was net te laat voordat deze rant explodeerde
  • 0
    @localjoost nou gelukkig ben ik hier 4 jaar later om nog een even hallo te zeggen
  • 0
    @Tonnoman0909 hahaha lekker op tijd inderdaad
Add Comment