Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/17/2013
06:42 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Mozilla Weighs Excommunication For Certificate Authority TeliaSonera

Swedish telecom provider accused of helping governments spy on citizens.

Mozilla is mulling whether to refuse to recognize Swedish telecom multinational TeliaSonera as a trusted certificate authority because of claims the company assists governments with surveillance.

TeliaSonera has asked Mozilla to accept its new root certificate in the list of trusted certificates used by Firefox. If Mozilla does not do so, websites that purchase SSL certificates from TeliaSonera or its affiliates will generate warnings when visited by Firefox users. Those warnings will likely deter online visitors from interacting with affected websites and would probably ruin the company's ability to sell SSL certificates.

"TeliaSonera's roots are a topic of active and public discussion in the Mozilla community," a Mozilla spokeswoman said in an email. "We have not reached a decision at this time. The decision to trust a certificate authority in Mozilla products is one we make very carefully. Each authority is publicly vetted before inclusion, and is required to provide regular, public audits of policy compliance once included."

[ Want to know how Google is giving legacy apps extended life? Read Google Offers Life Support For Old Internet Explorer Versions. ]

Mozilla's concern is that a certificate authority can provide governments or other parties with the ability to conduct a man-in-the-middle attack in order to covertly intercept online communications. The company's certificate inclusion policy states that would-be certificate authorities must disclose their business practices and publicly declare their compliance with Mozilla's requirements.

In a discussion of the issue in Mozilla's security policy group that has been going on since early March, Mozilla program manager Kathleen Wilson noted that there appears to be evidence that TeliaSonera is currently providing software, services or devices that enable customers, including oppressive regimes, to conduct surveillance and interception of communications.

Some participants in the discussion contend that the role of a certificate authority -- attesting to the security of websites -- is incompatible with selling surveillance technology that bypasses security.

Christopher Soghoian, a noted privacy researcher who recently became principal technologist at the American Civil Liberties Union, argued in a post to Mozilla's TeliaSonera discussion that certificate authorities should not be in the surveillance business. "Mozilla can and should use its power to force these companies to pick which market they want to be in -- they can either provide wiretaps or HTTPS certificates, but not both," he said.

Soghoian argued that telecommunications companies, such as Verizon, should not be allowed to sell SSL certificates at all. "In many countries (including the U.S.), telecommunications carriers are required to provide surveillance assistance to governments," he said. "This will likely mean that telecommunications carriers will not be able to be in the certificate business."

Last year, the Electronic Frontier Foundation accused TeliaSonera of "colluding with authoritarian regimes by selling them high-tech surveillance gear to spy on its citizens," based on an investigation conducted by Swedish news show Uppdrag Granskning.

TeliaSonera insists that it meets Mozilla's requirements and that the company only wants to upgrade its CA root certificate for legitimate business reasons, such as making the certificates it issues valid for longer periods of time, accommodating longer encryption-key lengths and reflecting the company's name change from Sonera to TeliaSonera.

Addressing the issue in a post last month, TeliaSonera senior public relations manager Irene Krohn said TeliaSonera only provides interception surveillance services as required by law in the countries where it operates. "The governments and security services of all countries in the world have the legal right to request information from operators and monitor network traffic for the purpose of fighting crime," she wrote. "This is happening every day in all countries and applies to all operators. We are obliged to comply with the legislation of each country."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15703
PUBLISHED: 2020-10-31
There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivile...
CVE-2020-5991
PUBLISHED: 2020-10-30
NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerability in the NVJPEG library in which an out-of-bounds read or write operation may lead to code execution, denial of service, or information disclosure.
CVE-2020-15273
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can ac...
CVE-2020-15276
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1.
CVE-2020-15277
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1.