Feeds

Firefox 'death sentence' threat to TeliaSonera over gov spy claims

Mozilla may snub telecom giant's new SSL certs

The Power of One eBook: Top reasons to choose HP BladeSystem

Firefox-maker Mozilla could issue a "death sentence" to TeliaSonera's SSL business over allegations the telecoms giant sold Orwellian surveillance tech to dictators.

The punishment would be an embarrassing blow to the company: it would effectively cut off HTTPS-encrypted websites verified by TeliaSonera from Firefox users, who make up one-fifth of the planet's web surfers.

Crucially, it will be seen as a tough stance against corporations that trade with authoritarian states.

TeliaSonera, which has globe-spanning operations and sells SSL certificates to Nordic websites, asked Mozilla to include its new root certificate in Firefox's list of trusted Certificate Authorities (CAs).

Mozilla, as a matter of routine, asked its community of users for their views on the request - but the software foundation was told a Swedish documentary had investigated claims that TeliaSonera was selling spooks technology to snoop on citizens' private communications. That alone may be enough to persuade Moz staff to refuse the new root certificate.

When a browser visits a HTTPS website - such as Google, Amazon or a bank - it must verify that it is talking to the genuine site, rather than a malicious server silently attempting to intercept the sensitive communication. Put simply, the website hands over its SSL certificate, which is like an ID card, to the browser, which checks this document's authenticity using the trusted root certificate belonging to the company that sold the SSL cert. If this chain of trust checks out, the connection can be trusted and encrypted.

If Mozilla decides to reject TeliaSonera's new root certificate, Firefox users who visit a website that uses an SSL cert generated from the new root certificate will be strongly warned they are visiting an untrusted website. Website operators would therefore steer clear of buying SSL certificates from TeliaSonera.

There are more details on the secure certificate system here [PDF].

Mozilla has asked folks to collate specific details about TeliaSonera's internet and phone services which are allegedly being used by dictators to carry out surveillance.

A spokesperson for the ISP giant told The Reg it is "concerned" about Mozilla's course of action. It added that TeliaSonera has a "clean record" and, like "all operators", it honours requests for "lawful interception" by governments.

It is claimed Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan - where TeliaSonera operates subsidiaries or is heavily invested - are using the ISP's networks to eavesdrop on their citizens. TeliaSonera is the dominant telco in Sweden and Finland but also operates in Denmark, Spain and Russia. The company's operations in Eurasia are detailed here [PDF].

Mozilla's concern is that TeliaSonera has possibly issued certificates that allow hardline government servers to masquerade as legitimate websites - so-called man-in-the-middle (MitM) attacks - and decrypt web traffic. This alleged activity would contradict Mozilla's policy against "knowingly issuing certificates without the knowledge of the entities whose information is referenced in the certificates".

But a TeliaSonera representative told the Moz community that its new root certificate will "issue public [SSL] certificates only to Swedish and Finnish customers and citizens … All our processes and certificates are following Mozilla requirements and are validated yearly in a Webtrust audit".

The case has echoes of online security biz Trustwave, which generated a "skeleton key" SSL certificate so that an unnamed company could intercept and decrypt workers' HTTPS-encrypted communications. The revelation sparked calls for Firefox to stop accepting Trustwave-granted certificates.

The possibility of action against TeliaSonera was warmly welcomed by Washington DC-based privacy researcher and activist Chris Soghoian. He told The Reg the telco would "pay the price" for "getting into bed with some seriously nasty governments".

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.