Feeds

Firefox 'death sentence' threat to TeliaSonera over gov spy claims

Mozilla may snub telecom giant's new SSL certs

Providing a secure and efficient Helpdesk

Firefox-maker Mozilla could issue a "death sentence" to TeliaSonera's SSL business over allegations the telecoms giant sold Orwellian surveillance tech to dictators.

The punishment would be an embarrassing blow to the company: it would effectively cut off HTTPS-encrypted websites verified by TeliaSonera from Firefox users, who make up one-fifth of the planet's web surfers.

Crucially, it will be seen as a tough stance against corporations that trade with authoritarian states.

TeliaSonera, which has globe-spanning operations and sells SSL certificates to Nordic websites, asked Mozilla to include its new root certificate in Firefox's list of trusted Certificate Authorities (CAs).

Mozilla, as a matter of routine, asked its community of users for their views on the request - but the software foundation was told a Swedish documentary had investigated claims that TeliaSonera was selling spooks technology to snoop on citizens' private communications. That alone may be enough to persuade Moz staff to refuse the new root certificate.

When a browser visits a HTTPS website - such as Google, Amazon or a bank - it must verify that it is talking to the genuine site, rather than a malicious server silently attempting to intercept the sensitive communication. Put simply, the website hands over its SSL certificate, which is like an ID card, to the browser, which checks this document's authenticity using the trusted root certificate belonging to the company that sold the SSL cert. If this chain of trust checks out, the connection can be trusted and encrypted.

If Mozilla decides to reject TeliaSonera's new root certificate, Firefox users who visit a website that uses an SSL cert generated from the new root certificate will be strongly warned they are visiting an untrusted website. Website operators would therefore steer clear of buying SSL certificates from TeliaSonera.

There are more details on the secure certificate system here [PDF].

Mozilla has asked folks to collate specific details about TeliaSonera's internet and phone services which are allegedly being used by dictators to carry out surveillance.

A spokesperson for the ISP giant told The Reg it is "concerned" about Mozilla's course of action. It added that TeliaSonera has a "clean record" and, like "all operators", it honours requests for "lawful interception" by governments.

It is claimed Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan - where TeliaSonera operates subsidiaries or is heavily invested - are using the ISP's networks to eavesdrop on their citizens. TeliaSonera is the dominant telco in Sweden and Finland but also operates in Denmark, Spain and Russia. The company's operations in Eurasia are detailed here [PDF].

Mozilla's concern is that TeliaSonera has possibly issued certificates that allow hardline government servers to masquerade as legitimate websites - so-called man-in-the-middle (MitM) attacks - and decrypt web traffic. This alleged activity would contradict Mozilla's policy against "knowingly issuing certificates without the knowledge of the entities whose information is referenced in the certificates".

But a TeliaSonera representative told the Moz community that its new root certificate will "issue public [SSL] certificates only to Swedish and Finnish customers and citizens … All our processes and certificates are following Mozilla requirements and are validated yearly in a Webtrust audit".

The case has echoes of online security biz Trustwave, which generated a "skeleton key" SSL certificate so that an unnamed company could intercept and decrypt workers' HTTPS-encrypted communications. The revelation sparked calls for Firefox to stop accepting Trustwave-granted certificates.

The possibility of action against TeliaSonera was warmly welcomed by Washington DC-based privacy researcher and activist Chris Soghoian. He told The Reg the telco would "pay the price" for "getting into bed with some seriously nasty governments".

New hybrid storage solutions

More from The Register

next story
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.