[Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

[Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

Yury Bulka
I'm sure many have heard about this:
https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html

Essentially, the government in Kazakhstan started forcing citizens into
installing a root TLS certificate on their devices that would allow the
government to intercept, decrypt and manipulate all HTTPS traffic.

Without the centificate, it seems, citizens can't access HTTPS pages (at
least on some ISPs).

I think this has serious implications for Wikipedia & Wikimedia, as not
only they would be easily able to see which articles people read, but
also steal login credentials, depseudonymize people and even hijack
admin accounts.

Another danger is that if this effort by Kazakhstan will succeed, other
governments may start doing the same.

I wonder if WMF has any position on this yet?

Best,
Yury.

_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

Thomas Townsend
Yury

What is the position of the Kazakhstan chapter on this?

The Turnip

On Sun, 21 Jul 2019 at 11:36, Yury Bulka
<[hidden email]> wrote:

>
> I'm sure many have heard about this:
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
>
> Essentially, the government in Kazakhstan started forcing citizens into
> installing a root TLS certificate on their devices that would allow the
> government to intercept, decrypt and manipulate all HTTPS traffic.
>
> Without the centificate, it seems, citizens can't access HTTPS pages (at
> least on some ISPs).
>
> I think this has serious implications for Wikipedia & Wikimedia, as not
> only they would be easily able to see which articles people read, but
> also steal login credentials, depseudonymize people and even hijack
> admin accounts.
>
> Another danger is that if this effort by Kazakhstan will succeed, other
> governments may start doing the same.
>
> I wonder if WMF has any position on this yet?
>
> Best,
> Yury.
>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

Steinsplitter Wiki-2
In reply to this post by Yury Bulka
That's shocking...

>> I think this has serious implications for Wikipedia & Wikimedia, as not
>> only they would be easily able to see which articles people read, but
>> also steal login credentials, depseudonymize people and even hijack
>> admin accounts.

Yes, they can de-crypt the traffic. Hopefully browser vendors will disallow the root certificate.
IMHO there isn't much WP can do, expect showing a warning if somebody is trying to login
from the country in question.

--Steinsplitter

________________________________
Von: Wikimedia-l <[hidden email]> im Auftrag von Yury Bulka <[hidden email]>
Gesendet: Sonntag, 21. Juli 2019 12:36
An: [hidden email] <[hidden email]>
Betreff: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

I'm sure many have heard about this:
https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html

Essentially, the government in Kazakhstan started forcing citizens into
installing a root TLS certificate on their devices that would allow the
government to intercept, decrypt and manipulate all HTTPS traffic.

Without the centificate, it seems, citizens can't access HTTPS pages (at
least on some ISPs).

I think this has serious implications for Wikipedia & Wikimedia, as not
only they would be easily able to see which articles people read, but
also steal login credentials, depseudonymize people and even hijack
admin accounts.

Another danger is that if this effort by Kazakhstan will succeed, other
governments may start doing the same.

I wonder if WMF has any position on this yet?

Best,
Yury.

_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

Yuri Astrakhan
I don't think browser vendors will block the ability to install a custom
root certificate because some corp clients may use it for exactly the same
reason -- creating an HTTPS proxy with fake certs in order to analyze
internal traffic (in the name of monitoring/security).

Browser vendors could make it more difficult to install, so that it would
require the corp IT department to do some magic, or even release two
versions of the browser - corp and general (with blocked uncertified root
certs), but at the end of the day those could be worked around.

The biggest deterrent in my opinion is to educating the users of the
dangers such certs would do (i.e. all your passwords and bank info will be
viewable by ISPs) - thus it would be social rather than purely technical
solution.

On Mon, Jul 22, 2019 at 1:33 PM Steinsplitter Wiki <
[hidden email]> wrote:

> That's shocking...
>
> >> I think this has serious implications for Wikipedia & Wikimedia, as not
> >> only they would be easily able to see which articles people read, but
> >> also steal login credentials, depseudonymize people and even hijack
> >> admin accounts.
>
> Yes, they can de-crypt the traffic. Hopefully browser vendors will
> disallow the root certificate.
> IMHO there isn't much WP can do, expect showing a warning if somebody is
> trying to login
> from the country in question.
>
> --Steinsplitter
>
> ________________________________
> Von: Wikimedia-l <[hidden email]> im Auftrag von
> Yury Bulka <[hidden email]>
> Gesendet: Sonntag, 21. Juli 2019 12:36
> An: [hidden email] <[hidden email]>
> Betreff: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan
>
> I'm sure many have heard about this:
>
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
>
> Essentially, the government in Kazakhstan started forcing citizens into
> installing a root TLS certificate on their devices that would allow the
> government to intercept, decrypt and manipulate all HTTPS traffic.
>
> Without the centificate, it seems, citizens can't access HTTPS pages (at
> least on some ISPs).
>
> I think this has serious implications for Wikipedia & Wikimedia, as not
> only they would be easily able to see which articles people read, but
> also steal login credentials, depseudonymize people and even hijack
> admin accounts.
>
> Another danger is that if this effort by Kazakhstan will succeed, other
> governments may start doing the same.
>
> I wonder if WMF has any position on this yet?
>
> Best,
> Yury.
>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

George William Herbert
Browser vendors could revoke the root that Kazakh authorities are using for
the scheme.

On Mon, Jul 22, 2019 at 5:35 AM Yuri Astrakhan <[hidden email]>
wrote:

> I don't think browser vendors will block the ability to install a custom
> root certificate because some corp clients may use it for exactly the same
> reason -- creating an HTTPS proxy with fake certs in order to analyze
> internal traffic (in the name of monitoring/security).
>
> Browser vendors could make it more difficult to install, so that it would
> require the corp IT department to do some magic, or even release two
> versions of the browser - corp and general (with blocked uncertified root
> certs), but at the end of the day those could be worked around.
>
> The biggest deterrent in my opinion is to educating the users of the
> dangers such certs would do (i.e. all your passwords and bank info will be
> viewable by ISPs) - thus it would be social rather than purely technical
> solution.
>
> On Mon, Jul 22, 2019 at 1:33 PM Steinsplitter Wiki <
> [hidden email]> wrote:
>
> > That's shocking...
> >
> > >> I think this has serious implications for Wikipedia & Wikimedia, as
> not
> > >> only they would be easily able to see which articles people read, but
> > >> also steal login credentials, depseudonymize people and even hijack
> > >> admin accounts.
> >
> > Yes, they can de-crypt the traffic. Hopefully browser vendors will
> > disallow the root certificate.
> > IMHO there isn't much WP can do, expect showing a warning if somebody is
> > trying to login
> > from the country in question.
> >
> > --Steinsplitter
> >
> > ________________________________
> > Von: Wikimedia-l <[hidden email]> im Auftrag
> von
> > Yury Bulka <[hidden email]>
> > Gesendet: Sonntag, 21. Juli 2019 12:36
> > An: [hidden email] <[hidden email]>
> > Betreff: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan
> >
> > I'm sure many have heard about this:
> >
> >
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> >
> > Essentially, the government in Kazakhstan started forcing citizens into
> > installing a root TLS certificate on their devices that would allow the
> > government to intercept, decrypt and manipulate all HTTPS traffic.
> >
> > Without the centificate, it seems, citizens can't access HTTPS pages (at
> > least on some ISPs).
> >
> > I think this has serious implications for Wikipedia & Wikimedia, as not
> > only they would be easily able to see which articles people read, but
> > also steal login credentials, depseudonymize people and even hijack
> > admin accounts.
> >
> > Another danger is that if this effort by Kazakhstan will succeed, other
> > governments may start doing the same.
> >
> > I wonder if WMF has any position on this yet?
> >
> > Best,
> > Yury.
> >
> > _______________________________________________
> > Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > New messages to: [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > <mailto:[hidden email]?subject=unsubscribe>
> > _______________________________________________
> > Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > New messages to: [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > <mailto:[hidden email]?subject=unsubscribe>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>



--
-george william herbert
[hidden email]
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

rupert THURNER-2
displaying a warning that there is a MITM which reads all passwords and
banking information sounds nice, yuri. there even seems to be ways to
detect this client-server side:
https://www.reddit.com/r/javascript/comments/7ldypq/is_it_possible_to_detect_mitm_by_javascript_in_a/
-
you mean something like this would do, yury?

george, the trusted root certificates would be configurable, usually, like
for chrome here:
https://support.securly.com/hc/en-us/articles/206081828-How-to-manually-install-the-Securly-SSL-certificate-in-Chrome
companies pay money to get into this list, so they can easier sell their
website certificates. closing down the list for sure leads to some
anti-trust legal action in other countries.

btw, recently there was a blog post from a developer in iran, saying the
same :
https://shahinsorkh.ir/2019/07/20/how-is-it-like-to-be-a-dev-in-iran

this had an even more surprising aspect - not only would the country block
access to some site - but sites itself decided to remove users having a
relationship with that country:
"Slack team, decided to join the sanctions. They simply deleted every
single user who they found out is Iranian! With no real prior notices! Many
people has lost their data on Slack and no one was going to do anything!"

rupert


On Mon, Jul 22, 2019 at 7:05 PM George Herbert <[hidden email]>
wrote:

> Browser vendors could revoke the root that Kazakh authorities are using for
> the scheme.
>
> On Mon, Jul 22, 2019 at 5:35 AM Yuri Astrakhan <[hidden email]>
> wrote:
>
> > I don't think browser vendors will block the ability to install a custom
> > root certificate because some corp clients may use it for exactly the
> same
> > reason -- creating an HTTPS proxy with fake certs in order to analyze
> > internal traffic (in the name of monitoring/security).
> >
> > Browser vendors could make it more difficult to install, so that it would
> > require the corp IT department to do some magic, or even release two
> > versions of the browser - corp and general (with blocked uncertified root
> > certs), but at the end of the day those could be worked around.
> >
> > The biggest deterrent in my opinion is to educating the users of the
> > dangers such certs would do (i.e. all your passwords and bank info will
> be
> > viewable by ISPs) - thus it would be social rather than purely technical
> > solution.
> >
> > On Mon, Jul 22, 2019 at 1:33 PM Steinsplitter Wiki <
> > [hidden email]> wrote:
> >
> > > That's shocking...
> > >
> > > >> I think this has serious implications for Wikipedia & Wikimedia, as
> > not
> > > >> only they would be easily able to see which articles people read,
> but
> > > >> also steal login credentials, depseudonymize people and even hijack
> > > >> admin accounts.
> > >
> > > Yes, they can de-crypt the traffic. Hopefully browser vendors will
> > > disallow the root certificate.
> > > IMHO there isn't much WP can do, expect showing a warning if somebody
> is
> > > trying to login
> > > from the country in question.
> > >
> > > --Steinsplitter
> > >
> > > ________________________________
> > > Von: Wikimedia-l <[hidden email]> im Auftrag
> > von
> > > Yury Bulka <[hidden email]>
> > > Gesendet: Sonntag, 21. Juli 2019 12:36
> > > An: [hidden email] <[hidden email]>
> > > Betreff: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan
> > >
> > > I'm sure many have heard about this:
> > >
> > >
> >
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> > >
> > > Essentially, the government in Kazakhstan started forcing citizens into
> > > installing a root TLS certificate on their devices that would allow the
> > > government to intercept, decrypt and manipulate all HTTPS traffic.
> > >
> > > Without the centificate, it seems, citizens can't access HTTPS pages
> (at
> > > least on some ISPs).
> > >
> > > I think this has serious implications for Wikipedia & Wikimedia, as not
> > > only they would be easily able to see which articles people read, but
> > > also steal login credentials, depseudonymize people and even hijack
> > > admin accounts.
> > >
> > > Another danger is that if this effort by Kazakhstan will succeed, other
> > > governments may start doing the same.
> > >
> > > I wonder if WMF has any position on this yet?
> > >
> > > Best,
> > > Yury.
> > >
> > > _______________________________________________
> > > Wikimedia-l mailing list, guidelines at:
> > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > > https://meta.wikimedia.org/wiki/Wikimedia-l
> > > New messages to: [hidden email]
> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > > <mailto:[hidden email]?subject=unsubscribe>
> > > _______________________________________________
> > > Wikimedia-l mailing list, guidelines at:
> > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > > https://meta.wikimedia.org/wiki/Wikimedia-l
> > > New messages to: [hidden email]
> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > > <mailto:[hidden email]?subject=unsubscribe>
> > _______________________________________________
> > Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > New messages to: [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > <mailto:[hidden email]?subject=unsubscribe>
>
>
>
> --
> -george william herbert
> [hidden email]
> _______________________________________________
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

Yury Bulka
Honestly, I am not sure what actions would be appropriate.

My initial reaction was - Wikipedia (and all Wikimedia sites) is
HTTPS-only, and this undermines HTTPS as such.

So if Wikipedia should only be accessible over (real, no
man-in-the-middle) HTTPS, perhaps requests that don't meet this criteria
should not be allowed. (Maybe a landing page displayed explaining the
security implications).

Another thought that poped up in my mind was to make it read-only over
unsecure connections.

I'm not very familiar with the circumstances of the 2015 decision to
move to mandatory HTTPS and if that implied being blocked or
inaccessible in whole countries as a consequence of this policy. But if
that was the case, Kazakhstan perhaps falls into a similar category?

The technical difference (no HTTPS vs a HTTPS only if users allow
government man-in-the-middle) is just a technical detail in my opinion,
as the effects are the same as if Wikipedia was made only accessible
over unencrypted HTTP in Kazakhstan.

Showing warnings is of course an option, but I am not sure if this is an
effective security measure if users are forced by the goverment to
install a backdoor.

Maybe it's better if Wikipedia would only be accessible over VPN or Tor
if direct HTTPS is undermined this way. This would of course only work
if users can have a secure connection to a VPN...

Hopefully, browsers do blacklist the certificate. And hopefully, they
will not start a cat-and-mouse game by rotating their certificate...

rupert THURNER <[hidden email]> writes:

> displaying a warning that there is a MITM which reads all passwords and
> banking information sounds nice, yuri. there even seems to be ways to
> detect this client-server side:
> https://www.reddit.com/r/javascript/comments/7ldypq/is_it_possible_to_detect_mitm_by_javascript_in_a/
> -
> you mean something like this would do, yury?
>
> george, the trusted root certificates would be configurable, usually, like
> for chrome here:
> https://support.securly.com/hc/en-us/articles/206081828-How-to-manually-install-the-Securly-SSL-certificate-in-Chrome
> companies pay money to get into this list, so they can easier sell their
> website certificates. closing down the list for sure leads to some
> anti-trust legal action in other countries.
>
> btw, recently there was a blog post from a developer in iran, saying the
> same :
> https://shahinsorkh.ir/2019/07/20/how-is-it-like-to-be-a-dev-in-iran
>
> this had an even more surprising aspect - not only would the country block
> access to some site - but sites itself decided to remove users having a
> relationship with that country:
> "Slack team, decided to join the sanctions. They simply deleted every
> single user who they found out is Iranian! With no real prior notices! Many
> people has lost their data on Slack and no one was going to do anything!"
>
> rupert
>
>
> On Mon, Jul 22, 2019 at 7:05 PM George Herbert <[hidden email]>
> wrote:
>
>> Browser vendors could revoke the root that Kazakh authorities are using for
>> the scheme.
>>
>> On Mon, Jul 22, 2019 at 5:35 AM Yuri Astrakhan <[hidden email]>
>> wrote:
>>
>> > I don't think browser vendors will block the ability to install a custom
>> > root certificate because some corp clients may use it for exactly the
>> same
>> > reason -- creating an HTTPS proxy with fake certs in order to analyze
>> > internal traffic (in the name of monitoring/security).
>> >
>> > Browser vendors could make it more difficult to install, so that it would
>> > require the corp IT department to do some magic, or even release two
>> > versions of the browser - corp and general (with blocked uncertified root
>> > certs), but at the end of the day those could be worked around.
>> >
>> > The biggest deterrent in my opinion is to educating the users of the
>> > dangers such certs would do (i.e. all your passwords and bank info will
>> be
>> > viewable by ISPs) - thus it would be social rather than purely technical
>> > solution.
>> >
>> > On Mon, Jul 22, 2019 at 1:33 PM Steinsplitter Wiki <
>> > [hidden email]> wrote:
>> >
>> > > That's shocking...
>> > >
>> > > >> I think this has serious implications for Wikipedia & Wikimedia, as
>> > not
>> > > >> only they would be easily able to see which articles people read,
>> but
>> > > >> also steal login credentials, depseudonymize people and even hijack
>> > > >> admin accounts.
>> > >
>> > > Yes, they can de-crypt the traffic. Hopefully browser vendors will
>> > > disallow the root certificate.
>> > > IMHO there isn't much WP can do, expect showing a warning if somebody
>> is
>> > > trying to login
>> > > from the country in question.
>> > >
>> > > --Steinsplitter
>> > >
>> > > ________________________________
>> > > Von: Wikimedia-l <[hidden email]> im Auftrag
>> > von
>> > > Yury Bulka <[hidden email]>
>> > > Gesendet: Sonntag, 21. Juli 2019 12:36
>> > > An: [hidden email] <[hidden email]>
>> > > Betreff: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan
>> > >
>> > > I'm sure many have heard about this:
>> > >
>> > >
>> >
>> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
>> > >
>> > > Essentially, the government in Kazakhstan started forcing citizens into
>> > > installing a root TLS certificate on their devices that would allow the
>> > > government to intercept, decrypt and manipulate all HTTPS traffic.
>> > >
>> > > Without the centificate, it seems, citizens can't access HTTPS pages
>> (at
>> > > least on some ISPs).
>> > >
>> > > I think this has serious implications for Wikipedia & Wikimedia, as not
>> > > only they would be easily able to see which articles people read, but
>> > > also steal login credentials, depseudonymize people and even hijack
>> > > admin accounts.
>> > >
>> > > Another danger is that if this effort by Kazakhstan will succeed, other
>> > > governments may start doing the same.
>> > >
>> > > I wonder if WMF has any position on this yet?
>> > >
>> > > Best,
>> > > Yury.
>> > >
>> > > _______________________________________________
>> > > Wikimedia-l mailing list, guidelines at:
>> > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> > > https://meta.wikimedia.org/wiki/Wikimedia-l
>> > > New messages to: [hidden email]
>> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> > > <mailto:[hidden email]?subject=unsubscribe>
>> > > _______________________________________________
>> > > Wikimedia-l mailing list, guidelines at:
>> > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> > > https://meta.wikimedia.org/wiki/Wikimedia-l
>> > > New messages to: [hidden email]
>> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> > > <mailto:[hidden email]?subject=unsubscribe>
>> > _______________________________________________
>> > Wikimedia-l mailing list, guidelines at:
>> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> > https://meta.wikimedia.org/wiki/Wikimedia-l
>> > New messages to: [hidden email]
>> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> > <mailto:[hidden email]?subject=unsubscribe>
>>
>>
>>
>> --
>> -george william herbert
>> [hidden email]
>> _______________________________________________
>> Wikimedia-l mailing list, guidelines at:
>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> https://meta.wikimedia.org/wiki/Wikimedia-l
>> New messages to: [hidden email]
>> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> <mailto:[hidden email]?subject=unsubscribe>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

Yaroslav Blanter
In reply to this post by Thomas Townsend
I do not think Kazakhstan has a chapter. In the past, some Kazakh
Wikimedians enjoyed close collaboration with the government (for example,
the Kazakhstani Encyclopedia has been released under a free license and
verbatim copied to the Kazakh Wikipedia, so that I do not expect much.

Cheers
Yaroslav

On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend <[hidden email]>
wrote:

> Yury
>
> What is the position of the Kazakhstan chapter on this?
>
> The Turnip
>
> On Sun, 21 Jul 2019 at 11:36, Yury Bulka
> <[hidden email]> wrote:
> >
> > I'm sure many have heard about this:
> >
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> >
> > Essentially, the government in Kazakhstan started forcing citizens into
> > installing a root TLS certificate on their devices that would allow the
> > government to intercept, decrypt and manipulate all HTTPS traffic.
> >
> > Without the centificate, it seems, citizens can't access HTTPS pages (at
> > least on some ISPs).
> >
> > I think this has serious implications for Wikipedia & Wikimedia, as not
> > only they would be easily able to see which articles people read, but
> > also steal login credentials, depseudonymize people and even hijack
> > admin accounts.
> >
> > Another danger is that if this effort by Kazakhstan will succeed, other
> > governments may start doing the same.
> >
> > I wonder if WMF has any position on this yet?
> >
> > Best,
> > Yury.
> >
> > _______________________________________________
> > Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> > New messages to: [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

Yury Bulka
I'm not in Kazakhstan and am not in directly touch with any of
wikimedians there, so I don't know their position.

However, I'm not sure how much freedom they have in expressing their
honest opinion about this publicly. Simply because it is always a
pros-and-cons calculation to criticise your local goverment in such
situations.

Yaroslav Blanter <[hidden email]> writes:

> I do not think Kazakhstan has a chapter. In the past, some Kazakh
> Wikimedians enjoyed close collaboration with the government (for example,
> the Kazakhstani Encyclopedia has been released under a free license and
> verbatim copied to the Kazakh Wikipedia, so that I do not expect much.
>
> Cheers
> Yaroslav
>
> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend <[hidden email]>
> wrote:
>
>> Yury
>>
>> What is the position of the Kazakhstan chapter on this?
>>
>> The Turnip
>>
>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka
>> <[hidden email]> wrote:
>> >
>> > I'm sure many have heard about this:
>> >
>> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
>> >
>> > Essentially, the government in Kazakhstan started forcing citizens into
>> > installing a root TLS certificate on their devices that would allow the
>> > government to intercept, decrypt and manipulate all HTTPS traffic.
>> >
>> > Without the centificate, it seems, citizens can't access HTTPS pages (at
>> > least on some ISPs).
>> >
>> > I think this has serious implications for Wikipedia & Wikimedia, as not
>> > only they would be easily able to see which articles people read, but
>> > also steal login credentials, depseudonymize people and even hijack
>> > admin accounts.
>> >
>> > Another danger is that if this effort by Kazakhstan will succeed, other
>> > governments may start doing the same.
>> >
>> > I wonder if WMF has any position on this yet?
>> >
>> > Best,
>> > Yury.
>> >
>> > _______________________________________________
>> > Wikimedia-l mailing list, guidelines at:
>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> https://meta.wikimedia.org/wiki/Wikimedia-l
>> > New messages to: [hidden email]
>> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> <mailto:[hidden email]?subject=unsubscribe>
>>
>> _______________________________________________
>> Wikimedia-l mailing list, guidelines at:
>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> https://meta.wikimedia.org/wiki/Wikimedia-l
>> New messages to: [hidden email]
>> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> <mailto:[hidden email]?subject=unsubscribe>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

Yury Bulka
I don't see any position from Mozilla on this yet:
https://bugzilla.mozilla.org/show_bug.cgi?id=1567114
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhACo3E

Couldn't find anything about Google Chrome.

Meanwhile, I have emailed [hidden email] with a link to this
discussion (hope it's not a terribly inappropriate thing to do).

I'd be great to hear from WMF about their view on this.

Best,
Yury.

Yury Bulka <[hidden email]> writes:

> I'm not in Kazakhstan and am not in directly touch with any of
> wikimedians there, so I don't know their position.
>
> However, I'm not sure how much freedom they have in expressing their
> honest opinion about this publicly. Simply because it is always a
> pros-and-cons calculation to criticise your local goverment in such
> situations.
>
> Yaroslav Blanter <[hidden email]> writes:
>
>> I do not think Kazakhstan has a chapter. In the past, some Kazakh
>> Wikimedians enjoyed close collaboration with the government (for example,
>> the Kazakhstani Encyclopedia has been released under a free license and
>> verbatim copied to the Kazakh Wikipedia, so that I do not expect much.
>>
>> Cheers
>> Yaroslav
>>
>> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend <[hidden email]>
>> wrote:
>>
>>> Yury
>>>
>>> What is the position of the Kazakhstan chapter on this?
>>>
>>> The Turnip
>>>
>>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka
>>> <[hidden email]> wrote:
>>> >
>>> > I'm sure many have heard about this:
>>> >
>>> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
>>> >
>>> > Essentially, the government in Kazakhstan started forcing citizens into
>>> > installing a root TLS certificate on their devices that would allow the
>>> > government to intercept, decrypt and manipulate all HTTPS traffic.
>>> >
>>> > Without the centificate, it seems, citizens can't access HTTPS pages (at
>>> > least on some ISPs).
>>> >
>>> > I think this has serious implications for Wikipedia & Wikimedia, as not
>>> > only they would be easily able to see which articles people read, but
>>> > also steal login credentials, depseudonymize people and even hijack
>>> > admin accounts.
>>> >
>>> > Another danger is that if this effort by Kazakhstan will succeed, other
>>> > governments may start doing the same.
>>> >
>>> > I wonder if WMF has any position on this yet?
>>> >
>>> > Best,
>>> > Yury.
>>> >
>>> > _______________________________________________
>>> > Wikimedia-l mailing list, guidelines at:
>>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>>> https://meta.wikimedia.org/wiki/Wikimedia-l
>>> > New messages to: [hidden email]
>>> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>>> <mailto:[hidden email]?subject=unsubscribe>
>>>
>>> _______________________________________________
>>> Wikimedia-l mailing list, guidelines at:
>>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>>> https://meta.wikimedia.org/wiki/Wikimedia-l
>>> New messages to: [hidden email]
>>> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>>> <mailto:[hidden email]?subject=unsubscribe>
>> _______________________________________________
>> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
>> New messages to: [hidden email]
>> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>


_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

John Erling Blad
The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but
Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the
MITM attack possible, by forcing the users to install the root certificate,
as many of the sites listed has been on the HPKP list. With HPKP in place
the scheme would be somewhat harder to implement.

[1] https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438

On Fri, Jul 26, 2019 at 3:05 PM Yury Bulka <[hidden email]>
wrote:

> I don't see any position from Mozilla on this yet:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1567114
>
> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhACo3E
>
> Couldn't find anything about Google Chrome.
>
> Meanwhile, I have emailed [hidden email] with a link to this
> discussion (hope it's not a terribly inappropriate thing to do).
>
> I'd be great to hear from WMF about their view on this.
>
> Best,
> Yury.
>
> Yury Bulka <[hidden email]> writes:
>
> > I'm not in Kazakhstan and am not in directly touch with any of
> > wikimedians there, so I don't know their position.
> >
> > However, I'm not sure how much freedom they have in expressing their
> > honest opinion about this publicly. Simply because it is always a
> > pros-and-cons calculation to criticise your local goverment in such
> > situations.
> >
> > Yaroslav Blanter <[hidden email]> writes:
> >
> >> I do not think Kazakhstan has a chapter. In the past, some Kazakh
> >> Wikimedians enjoyed close collaboration with the government (for
> example,
> >> the Kazakhstani Encyclopedia has been released under a free license and
> >> verbatim copied to the Kazakh Wikipedia, so that I do not expect much.
> >>
> >> Cheers
> >> Yaroslav
> >>
> >> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend <[hidden email]
> >
> >> wrote:
> >>
> >>> Yury
> >>>
> >>> What is the position of the Kazakhstan chapter on this?
> >>>
> >>> The Turnip
> >>>
> >>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka
> >>> <[hidden email]> wrote:
> >>> >
> >>> > I'm sure many have heard about this:
> >>> >
> >>>
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> >>> >
> >>> > Essentially, the government in Kazakhstan started forcing citizens
> into
> >>> > installing a root TLS certificate on their devices that would allow
> the
> >>> > government to intercept, decrypt and manipulate all HTTPS traffic.
> >>> >
> >>> > Without the centificate, it seems, citizens can't access HTTPS pages
> (at
> >>> > least on some ISPs).
> >>> >
> >>> > I think this has serious implications for Wikipedia & Wikimedia, as
> not
> >>> > only they would be easily able to see which articles people read, but
> >>> > also steal login credentials, depseudonymize people and even hijack
> >>> > admin accounts.
> >>> >
> >>> > Another danger is that if this effort by Kazakhstan will succeed,
> other
> >>> > governments may start doing the same.
> >>> >
> >>> > I wonder if WMF has any position on this yet?
> >>> >
> >>> > Best,
> >>> > Yury.
> >>> >
> >>> > _______________________________________________
> >>> > Wikimedia-l mailing list, guidelines at:
> >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> >>> https://meta.wikimedia.org/wiki/Wikimedia-l
> >>> > New messages to: [hidden email]
> >>> > Unsubscribe:
> https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> >>> <mailto:[hidden email]?subject=unsubscribe>
> >>>
> >>> _______________________________________________
> >>> Wikimedia-l mailing list, guidelines at:
> >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> >>> https://meta.wikimedia.org/wiki/Wikimedia-l
> >>> New messages to: [hidden email]
> >>> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> >>> <mailto:[hidden email]?subject=unsubscribe>
> >> _______________________________________________
> >> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> >> New messages to: [hidden email]
> >> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
> >
> > _______________________________________________
> > Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> > New messages to: [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
>
>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

Alex Monk
Correct me if I'm wrong but I believe browsers always ignored HPKP rules
when presented with a cert signed by a CA that is locally installed rather
than default.

On Sun, 28 Jul 2019, 12:58 John Erling Blad, <[hidden email]> wrote:

> The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but
> Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the
> MITM attack possible, by forcing the users to install the root certificate,
> as many of the sites listed has been on the HPKP list. With HPKP in place
> the scheme would be somewhat harder to implement.
>
> [1] https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438
>
> On Fri, Jul 26, 2019 at 3:05 PM Yury Bulka <
> [hidden email]>
> wrote:
>
> > I don't see any position from Mozilla on this yet:
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1567114
> >
> >
> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhACo3E
> >
> > Couldn't find anything about Google Chrome.
> >
> > Meanwhile, I have emailed [hidden email] with a link to this
> > discussion (hope it's not a terribly inappropriate thing to do).
> >
> > I'd be great to hear from WMF about their view on this.
> >
> > Best,
> > Yury.
> >
> > Yury Bulka <[hidden email]> writes:
> >
> > > I'm not in Kazakhstan and am not in directly touch with any of
> > > wikimedians there, so I don't know their position.
> > >
> > > However, I'm not sure how much freedom they have in expressing their
> > > honest opinion about this publicly. Simply because it is always a
> > > pros-and-cons calculation to criticise your local goverment in such
> > > situations.
> > >
> > > Yaroslav Blanter <[hidden email]> writes:
> > >
> > >> I do not think Kazakhstan has a chapter. In the past, some Kazakh
> > >> Wikimedians enjoyed close collaboration with the government (for
> > example,
> > >> the Kazakhstani Encyclopedia has been released under a free license
> and
> > >> verbatim copied to the Kazakh Wikipedia, so that I do not expect much.
> > >>
> > >> Cheers
> > >> Yaroslav
> > >>
> > >> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend <
> [hidden email]
> > >
> > >> wrote:
> > >>
> > >>> Yury
> > >>>
> > >>> What is the position of the Kazakhstan chapter on this?
> > >>>
> > >>> The Turnip
> > >>>
> > >>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka
> > >>> <[hidden email]> wrote:
> > >>> >
> > >>> > I'm sure many have heard about this:
> > >>> >
> > >>>
> >
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> > >>> >
> > >>> > Essentially, the government in Kazakhstan started forcing citizens
> > into
> > >>> > installing a root TLS certificate on their devices that would allow
> > the
> > >>> > government to intercept, decrypt and manipulate all HTTPS traffic.
> > >>> >
> > >>> > Without the centificate, it seems, citizens can't access HTTPS
> pages
> > (at
> > >>> > least on some ISPs).
> > >>> >
> > >>> > I think this has serious implications for Wikipedia & Wikimedia, as
> > not
> > >>> > only they would be easily able to see which articles people read,
> but
> > >>> > also steal login credentials, depseudonymize people and even hijack
> > >>> > admin accounts.
> > >>> >
> > >>> > Another danger is that if this effort by Kazakhstan will succeed,
> > other
> > >>> > governments may start doing the same.
> > >>> >
> > >>> > I wonder if WMF has any position on this yet?
> > >>> >
> > >>> > Best,
> > >>> > Yury.
> > >>> >
> > >>> > _______________________________________________
> > >>> > Wikimedia-l mailing list, guidelines at:
> > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > >>> https://meta.wikimedia.org/wiki/Wikimedia-l
> > >>> > New messages to: [hidden email]
> > >>> > Unsubscribe:
> > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > >>> <mailto:[hidden email]?subject=unsubscribe>
> > >>>
> > >>> _______________________________________________
> > >>> Wikimedia-l mailing list, guidelines at:
> > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > >>> https://meta.wikimedia.org/wiki/Wikimedia-l
> > >>> New messages to: [hidden email]
> > >>> Unsubscribe:
> https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > >>> <mailto:[hidden email]?subject=unsubscribe>
> > >> _______________________________________________
> > >> Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > >> New messages to: [hidden email]
> > >> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> ,
> > <mailto:[hidden email]?subject=unsubscribe>
> > >
> > > _______________________________________________
> > > Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > > New messages to: [hidden email]
> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > <mailto:[hidden email]?subject=unsubscribe>
> >
> >
> > _______________________________________________
> > Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > New messages to: [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > <mailto:[hidden email]?subject=unsubscribe>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

Chico Venancio
In reply to this post by John Erling Blad
FYI, it seems Wikimedia is not being intercepted at the moment.
https://censoredplanet.org/kazakhstan

Of course, that may change.

It may also be relevant that Wikimedia uses HSTS, and that will make it
difficult for users to access the sites with intercepted certificates if
they have accessed the sites previously.

Chico Venancio

Em dom, 28 de jul de 2019 08:58, John Erling Blad <[hidden email]>
escreveu:

> The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but
> Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the
> MITM attack possible, by forcing the users to install the root certificate,
> as many of the sites listed has been on the HPKP list. With HPKP in place
> the scheme would be somewhat harder to implement.
>
> [1] https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438
>
> On Fri, Jul 26, 2019 at 3:05 PM Yury Bulka <
> [hidden email]>
> wrote:
>
> > I don't see any position from Mozilla on this yet:
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1567114
> >
> >
> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhACo3E
> >
> > Couldn't find anything about Google Chrome.
> >
> > Meanwhile, I have emailed [hidden email] with a link to this
> > discussion (hope it's not a terribly inappropriate thing to do).
> >
> > I'd be great to hear from WMF about their view on this.
> >
> > Best,
> > Yury.
> >
> > Yury Bulka <[hidden email]> writes:
> >
> > > I'm not in Kazakhstan and am not in directly touch with any of
> > > wikimedians there, so I don't know their position.
> > >
> > > However, I'm not sure how much freedom they have in expressing their
> > > honest opinion about this publicly. Simply because it is always a
> > > pros-and-cons calculation to criticise your local goverment in such
> > > situations.
> > >
> > > Yaroslav Blanter <[hidden email]> writes:
> > >
> > >> I do not think Kazakhstan has a chapter. In the past, some Kazakh
> > >> Wikimedians enjoyed close collaboration with the government (for
> > example,
> > >> the Kazakhstani Encyclopedia has been released under a free license
> and
> > >> verbatim copied to the Kazakh Wikipedia, so that I do not expect much.
> > >>
> > >> Cheers
> > >> Yaroslav
> > >>
> > >> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend <
> [hidden email]
> > >
> > >> wrote:
> > >>
> > >>> Yury
> > >>>
> > >>> What is the position of the Kazakhstan chapter on this?
> > >>>
> > >>> The Turnip
> > >>>
> > >>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka
> > >>> <[hidden email]> wrote:
> > >>> >
> > >>> > I'm sure many have heard about this:
> > >>> >
> > >>>
> >
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> > >>> >
> > >>> > Essentially, the government in Kazakhstan started forcing citizens
> > into
> > >>> > installing a root TLS certificate on their devices that would allow
> > the
> > >>> > government to intercept, decrypt and manipulate all HTTPS traffic.
> > >>> >
> > >>> > Without the centificate, it seems, citizens can't access HTTPS
> pages
> > (at
> > >>> > least on some ISPs).
> > >>> >
> > >>> > I think this has serious implications for Wikipedia & Wikimedia, as
> > not
> > >>> > only they would be easily able to see which articles people read,
> but
> > >>> > also steal login credentials, depseudonymize people and even hijack
> > >>> > admin accounts.
> > >>> >
> > >>> > Another danger is that if this effort by Kazakhstan will succeed,
> > other
> > >>> > governments may start doing the same.
> > >>> >
> > >>> > I wonder if WMF has any position on this yet?
> > >>> >
> > >>> > Best,
> > >>> > Yury.
> > >>> >
> > >>> > _______________________________________________
> > >>> > Wikimedia-l mailing list, guidelines at:
> > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > >>> https://meta.wikimedia.org/wiki/Wikimedia-l
> > >>> > New messages to: [hidden email]
> > >>> > Unsubscribe:
> > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > >>> <mailto:[hidden email]?subject=unsubscribe>
> > >>>
> > >>> _______________________________________________
> > >>> Wikimedia-l mailing list, guidelines at:
> > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > >>> https://meta.wikimedia.org/wiki/Wikimedia-l
> > >>> New messages to: [hidden email]
> > >>> Unsubscribe:
> https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > >>> <mailto:[hidden email]?subject=unsubscribe>
> > >> _______________________________________________
> > >> Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > >> New messages to: [hidden email]
> > >> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> ,
> > <mailto:[hidden email]?subject=unsubscribe>
> > >
> > > _______________________________________________
> > > Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > > New messages to: [hidden email]
> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > <mailto:[hidden email]?subject=unsubscribe>
> >
> >
> > _______________________________________________
> > Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > New messages to: [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > <mailto:[hidden email]?subject=unsubscribe>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

John Erling Blad
In reply to this post by Alex Monk
You are right. “Firefox and Chrome disable pin validation for pinned hosts
whose validated certificate chain terminates at a user-defined trust anchor
(rather than a built-in trust anchor). This means that for users who
imported custom root certificates all pinning violations are ignored.” [1]

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning

On Sun, Jul 28, 2019 at 2:07 PM Alex Monk <[hidden email]> wrote:

> Correct me if I'm wrong but I believe browsers always ignored HPKP rules
> when presented with a cert signed by a CA that is locally installed rather
> than default.
>
> On Sun, 28 Jul 2019, 12:58 John Erling Blad, <[hidden email]> wrote:
>
> > The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but
> > Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the
> > MITM attack possible, by forcing the users to install the root
> certificate,
> > as many of the sites listed has been on the HPKP list. With HPKP in place
> > the scheme would be somewhat harder to implement.
> >
> > [1] https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
> > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438
> >
> > On Fri, Jul 26, 2019 at 3:05 PM Yury Bulka <
> > [hidden email]>
> > wrote:
> >
> > > I don't see any position from Mozilla on this yet:
> > > https://bugzilla.mozilla.org/show_bug.cgi?id=1567114
> > >
> > >
> >
> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhACo3E
> > >
> > > Couldn't find anything about Google Chrome.
> > >
> > > Meanwhile, I have emailed [hidden email] with a link to this
> > > discussion (hope it's not a terribly inappropriate thing to do).
> > >
> > > I'd be great to hear from WMF about their view on this.
> > >
> > > Best,
> > > Yury.
> > >
> > > Yury Bulka <[hidden email]> writes:
> > >
> > > > I'm not in Kazakhstan and am not in directly touch with any of
> > > > wikimedians there, so I don't know their position.
> > > >
> > > > However, I'm not sure how much freedom they have in expressing their
> > > > honest opinion about this publicly. Simply because it is always a
> > > > pros-and-cons calculation to criticise your local goverment in such
> > > > situations.
> > > >
> > > > Yaroslav Blanter <[hidden email]> writes:
> > > >
> > > >> I do not think Kazakhstan has a chapter. In the past, some Kazakh
> > > >> Wikimedians enjoyed close collaboration with the government (for
> > > example,
> > > >> the Kazakhstani Encyclopedia has been released under a free license
> > and
> > > >> verbatim copied to the Kazakh Wikipedia, so that I do not expect
> much.
> > > >>
> > > >> Cheers
> > > >> Yaroslav
> > > >>
> > > >> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend <
> > [hidden email]
> > > >
> > > >> wrote:
> > > >>
> > > >>> Yury
> > > >>>
> > > >>> What is the position of the Kazakhstan chapter on this?
> > > >>>
> > > >>> The Turnip
> > > >>>
> > > >>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka
> > > >>> <[hidden email]> wrote:
> > > >>> >
> > > >>> > I'm sure many have heard about this:
> > > >>> >
> > > >>>
> > >
> >
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> > > >>> >
> > > >>> > Essentially, the government in Kazakhstan started forcing
> citizens
> > > into
> > > >>> > installing a root TLS certificate on their devices that would
> allow
> > > the
> > > >>> > government to intercept, decrypt and manipulate all HTTPS
> traffic.
> > > >>> >
> > > >>> > Without the centificate, it seems, citizens can't access HTTPS
> > pages
> > > (at
> > > >>> > least on some ISPs).
> > > >>> >
> > > >>> > I think this has serious implications for Wikipedia & Wikimedia,
> as
> > > not
> > > >>> > only they would be easily able to see which articles people read,
> > but
> > > >>> > also steal login credentials, depseudonymize people and even
> hijack
> > > >>> > admin accounts.
> > > >>> >
> > > >>> > Another danger is that if this effort by Kazakhstan will succeed,
> > > other
> > > >>> > governments may start doing the same.
> > > >>> >
> > > >>> > I wonder if WMF has any position on this yet?
> > > >>> >
> > > >>> > Best,
> > > >>> > Yury.
> > > >>> >
> > > >>> > _______________________________________________
> > > >>> > Wikimedia-l mailing list, guidelines at:
> > > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > > >>> https://meta.wikimedia.org/wiki/Wikimedia-l
> > > >>> > New messages to: [hidden email]
> > > >>> > Unsubscribe:
> > > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > > >>> <mailto:[hidden email]
> ?subject=unsubscribe>
> > > >>>
> > > >>> _______________________________________________
> > > >>> Wikimedia-l mailing list, guidelines at:
> > > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > > >>> https://meta.wikimedia.org/wiki/Wikimedia-l
> > > >>> New messages to: [hidden email]
> > > >>> Unsubscribe:
> > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > > >>> <mailto:[hidden email]
> ?subject=unsubscribe>
> > > >> _______________________________________________
> > > >> Wikimedia-l mailing list, guidelines at:
> > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > > https://meta.wikimedia.org/wiki/Wikimedia-l
> > > >> New messages to: [hidden email]
> > > >> Unsubscribe:
> https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> > ,
> > > <mailto:[hidden email]?subject=unsubscribe>
> > > >
> > > > _______________________________________________
> > > > Wikimedia-l mailing list, guidelines at:
> > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > > https://meta.wikimedia.org/wiki/Wikimedia-l
> > > > New messages to: [hidden email]
> > > > Unsubscribe:
> https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > > <mailto:[hidden email]?subject=unsubscribe>
> > >
> > >
> > > _______________________________________________
> > > Wikimedia-l mailing list, guidelines at:
> > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > > https://meta.wikimedia.org/wiki/Wikimedia-l
> > > New messages to: [hidden email]
> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > > <mailto:[hidden email]?subject=unsubscribe>
> > _______________________________________________
> > Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > New messages to: [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > <mailto:[hidden email]?subject=unsubscribe>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

John Erling Blad
Seems like something happen early Friday morning.[1]

[1] https://censoredplanet.org/kazakhstan/live

On Sun, Jul 28, 2019 at 2:43 PM John Erling Blad <[hidden email]> wrote:

> You are right. “Firefox and Chrome disable pin validation for pinned hosts
> whose validated certificate chain terminates at a user-defined trust anchor
> (rather than a built-in trust anchor). This means that for users who
> imported custom root certificates all pinning violations are ignored.” [1]
>
> [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
>
> On Sun, Jul 28, 2019 at 2:07 PM Alex Monk <[hidden email]> wrote:
>
>> Correct me if I'm wrong but I believe browsers always ignored HPKP rules
>> when presented with a cert signed by a CA that is locally installed rather
>> than default.
>>
>> On Sun, 28 Jul 2019, 12:58 John Erling Blad, <[hidden email]> wrote:
>>
>> > The Kazakhstan MITM could be stopped by HTTP Public Key Pinning [1], but
>> > Chrome seems to have dropped support for HPKP[2]? Dropping HPKP made the
>> > MITM attack possible, by forcing the users to install the root
>> certificate,
>> > as many of the sites listed has been on the HPKP list. With HPKP in
>> place
>> > the scheme would be somewhat harder to implement.
>> >
>> > [1] https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
>> > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438
>> >
>> > On Fri, Jul 26, 2019 at 3:05 PM Yury Bulka <
>> > [hidden email]>
>> > wrote:
>> >
>> > > I don't see any position from Mozilla on this yet:
>> > > https://bugzilla.mozilla.org/show_bug.cgi?id=1567114
>> > >
>> > >
>> >
>> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhACo3E
>> > >
>> > > Couldn't find anything about Google Chrome.
>> > >
>> > > Meanwhile, I have emailed [hidden email] with a link to this
>> > > discussion (hope it's not a terribly inappropriate thing to do).
>> > >
>> > > I'd be great to hear from WMF about their view on this.
>> > >
>> > > Best,
>> > > Yury.
>> > >
>> > > Yury Bulka <[hidden email]> writes:
>> > >
>> > > > I'm not in Kazakhstan and am not in directly touch with any of
>> > > > wikimedians there, so I don't know their position.
>> > > >
>> > > > However, I'm not sure how much freedom they have in expressing their
>> > > > honest opinion about this publicly. Simply because it is always a
>> > > > pros-and-cons calculation to criticise your local goverment in such
>> > > > situations.
>> > > >
>> > > > Yaroslav Blanter <[hidden email]> writes:
>> > > >
>> > > >> I do not think Kazakhstan has a chapter. In the past, some Kazakh
>> > > >> Wikimedians enjoyed close collaboration with the government (for
>> > > example,
>> > > >> the Kazakhstani Encyclopedia has been released under a free license
>> > and
>> > > >> verbatim copied to the Kazakh Wikipedia, so that I do not expect
>> much.
>> > > >>
>> > > >> Cheers
>> > > >> Yaroslav
>> > > >>
>> > > >> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend <
>> > [hidden email]
>> > > >
>> > > >> wrote:
>> > > >>
>> > > >>> Yury
>> > > >>>
>> > > >>> What is the position of the Kazakhstan chapter on this?
>> > > >>>
>> > > >>> The Turnip
>> > > >>>
>> > > >>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka
>> > > >>> <[hidden email]> wrote:
>> > > >>> >
>> > > >>> > I'm sure many have heard about this:
>> > > >>> >
>> > > >>>
>> > >
>> >
>> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
>> > > >>> >
>> > > >>> > Essentially, the government in Kazakhstan started forcing
>> citizens
>> > > into
>> > > >>> > installing a root TLS certificate on their devices that would
>> allow
>> > > the
>> > > >>> > government to intercept, decrypt and manipulate all HTTPS
>> traffic.
>> > > >>> >
>> > > >>> > Without the centificate, it seems, citizens can't access HTTPS
>> > pages
>> > > (at
>> > > >>> > least on some ISPs).
>> > > >>> >
>> > > >>> > I think this has serious implications for Wikipedia &
>> Wikimedia, as
>> > > not
>> > > >>> > only they would be easily able to see which articles people
>> read,
>> > but
>> > > >>> > also steal login credentials, depseudonymize people and even
>> hijack
>> > > >>> > admin accounts.
>> > > >>> >
>> > > >>> > Another danger is that if this effort by Kazakhstan will
>> succeed,
>> > > other
>> > > >>> > governments may start doing the same.
>> > > >>> >
>> > > >>> > I wonder if WMF has any position on this yet?
>> > > >>> >
>> > > >>> > Best,
>> > > >>> > Yury.
>> > > >>> >
>> > > >>> > _______________________________________________
>> > > >>> > Wikimedia-l mailing list, guidelines at:
>> > > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> > > >>> https://meta.wikimedia.org/wiki/Wikimedia-l
>> > > >>> > New messages to: [hidden email]
>> > > >>> > Unsubscribe:
>> > > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> > > >>> <mailto:[hidden email]
>> ?subject=unsubscribe>
>> > > >>>
>> > > >>> _______________________________________________
>> > > >>> Wikimedia-l mailing list, guidelines at:
>> > > >>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> > > >>> https://meta.wikimedia.org/wiki/Wikimedia-l
>> > > >>> New messages to: [hidden email]
>> > > >>> Unsubscribe:
>> > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> > > >>> <mailto:[hidden email]
>> ?subject=unsubscribe>
>> > > >> _______________________________________________
>> > > >> Wikimedia-l mailing list, guidelines at:
>> > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> > > https://meta.wikimedia.org/wiki/Wikimedia-l
>> > > >> New messages to: [hidden email]
>> > > >> Unsubscribe:
>> https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
>> > ,
>> > > <mailto:[hidden email]?subject=unsubscribe>
>> > > >
>> > > > _______________________________________________
>> > > > Wikimedia-l mailing list, guidelines at:
>> > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> > > https://meta.wikimedia.org/wiki/Wikimedia-l
>> > > > New messages to: [hidden email]
>> > > > Unsubscribe:
>> https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> > > <mailto:[hidden email]?subject=unsubscribe>
>> > >
>> > >
>> > > _______________________________________________
>> > > Wikimedia-l mailing list, guidelines at:
>> > > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> > > https://meta.wikimedia.org/wiki/Wikimedia-l
>> > > New messages to: [hidden email]
>> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
>> ,
>> > > <mailto:[hidden email]?subject=unsubscribe>
>> > _______________________________________________
>> > Wikimedia-l mailing list, guidelines at:
>> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> > https://meta.wikimedia.org/wiki/Wikimedia-l
>> > New messages to: [hidden email]
>> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> > <mailto:[hidden email]?subject=unsubscribe>
>> _______________________________________________
>> Wikimedia-l mailing list, guidelines at:
>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> https://meta.wikimedia.org/wiki/Wikimedia-l
>> New messages to: [hidden email]
>> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> <mailto:[hidden email]?subject=unsubscribe>
>
>
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

Thomas Townsend
In reply to this post by Yaroslav Blanter
Yaroslav

If there is no local chapter willing and able to take action, then
presumably it falls to WMF central to do so, as they have in the USA
and Turkey

The Turnip

On Tue, 23 Jul 2019 at 12:41, Yaroslav Blanter <[hidden email]> wrote:

>
> I do not think Kazakhstan has a chapter. In the past, some Kazakh
> Wikimedians enjoyed close collaboration with the government (for example,
> the Kazakhstani Encyclopedia has been released under a free license and
> verbatim copied to the Kazakh Wikipedia, so that I do not expect much.
>
> Cheers
> Yaroslav
>
> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend <[hidden email]>
> wrote:
>
> > Yury
> >
> > What is the position of the Kazakhstan chapter on this?
> >
> > The Turnip
> >
> > On Sun, 21 Jul 2019 at 11:36, Yury Bulka
> > <[hidden email]> wrote:
> > >
> > > I'm sure many have heard about this:
> > >
> > https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> > >
> > > Essentially, the government in Kazakhstan started forcing citizens into
> > > installing a root TLS certificate on their devices that would allow the
> > > government to intercept, decrypt and manipulate all HTTPS traffic.
> > >
> > > Without the centificate, it seems, citizens can't access HTTPS pages (at
> > > least on some ISPs).
> > >
> > > I think this has serious implications for Wikipedia & Wikimedia, as not
> > > only they would be easily able to see which articles people read, but
> > > also steal login credentials, depseudonymize people and even hijack
> > > admin accounts.
> > >
> > > Another danger is that if this effort by Kazakhstan will succeed, other
> > > governments may start doing the same.
> > >
> > > I wonder if WMF has any position on this yet?
> > >
> > > Best,
> > > Yury.
> > >
> > > _______________________________________________
> > > Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > > New messages to: [hidden email]
> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > <mailto:[hidden email]?subject=unsubscribe>
> >
> > _______________________________________________
> > Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > New messages to: [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > <mailto:[hidden email]?subject=unsubscribe>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

John Erling Blad
In reply to this post by Yury Bulka
Google, Apple, Mozilla move to block Kazakh surveillance system

https://www.reuters.com/article/us-kazakhstan-internet-surveillance/google-apple-mozilla-move-to-block-kazakh-surveillance-system-idUSKCN1VB17Q
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

Yury Bulka
I'm getting a 404:(

John Erling Blad <[hidden email]> writes:

> Google, Apple, Mozilla move to block Kazakh surveillance system
>
> https://www.reuters.com/article/us-kazakhstan-internet-surveillance/google-apple-mozilla-move-to-block-kazakh-surveillance-system-idUSKCN1VB17Q
> _______________________________________________
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>


_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

RhinosF1 Wikipedia
link works fine for me Yury

On Fri, 23 Aug 2019 at 10:29, Yury Bulka <[hidden email]>
wrote:

> I'm getting a 404:(
>
> John Erling Blad <[hidden email]> writes:
>
> > Google, Apple, Mozilla move to block Kazakh surveillance system
> >
> >
> https://www.reuters.com/article/us-kazakhstan-internet-surveillance/google-apple-mozilla-move-to-block-kazakh-surveillance-system-idUSKCN1VB17Q
> > _______________________________________________
> > Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> > New messages to: [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
>
>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

Yury Bulka
Hm, interesting - the page reports 404 if JS is disabled, but loads
otherwise. Thanks for the hint. Also sharing Mozilla's statement:

https://blog.mozilla.org/blog/2019/08/21/mozilla-takes-action-to-protect-users-in-kazakhstan/

Good to know.

RhinosF1 <[hidden email]> writes:

> link works fine for me Yury
>
> On Fri, 23 Aug 2019 at 10:29, Yury Bulka <[hidden email]>
> wrote:
>
>> I'm getting a 404:(
>>
>> John Erling Blad <[hidden email]> writes:
>>
>> > Google, Apple, Mozilla move to block Kazakh surveillance system
>> >
>> >
>> https://www.reuters.com/article/us-kazakhstan-internet-surveillance/google-apple-mozilla-move-to-block-kazakh-surveillance-system-idUSKCN1VB17Q
>> > _______________________________________________
>> > Wikimedia-l mailing list, guidelines at:
>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> https://meta.wikimedia.org/wiki/Wikimedia-l
>> > New messages to: [hidden email]
>> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> <mailto:[hidden email]?subject=unsubscribe>
>>
>>
>> _______________________________________________
>> Wikimedia-l mailing list, guidelines at:
>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> https://meta.wikimedia.org/wiki/Wikimedia-l
>> New messages to: [hidden email]
>> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> <mailto:[hidden email]?subject=unsubscribe>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>


_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>