Feeds

Firefox 'death sentence' threat to TeliaSonera over gov spy claims

Mozilla may snub telecom giant's new SSL certs

Using blade systems to cut costs and sharpen efficiencies

Firefox-maker Mozilla could issue a "death sentence" to TeliaSonera's SSL business over allegations the telecoms giant sold Orwellian surveillance tech to dictators.

The punishment would be an embarrassing blow to the company: it would effectively cut off HTTPS-encrypted websites verified by TeliaSonera from Firefox users, who make up one-fifth of the planet's web surfers.

Crucially, it will be seen as a tough stance against corporations that trade with authoritarian states.

TeliaSonera, which has globe-spanning operations and sells SSL certificates to Nordic websites, asked Mozilla to include its new root certificate in Firefox's list of trusted Certificate Authorities (CAs).

Mozilla, as a matter of routine, asked its community of users for their views on the request - but the software foundation was told a Swedish documentary had investigated claims that TeliaSonera was selling spooks technology to snoop on citizens' private communications. That alone may be enough to persuade Moz staff to refuse the new root certificate.

When a browser visits a HTTPS website - such as Google, Amazon or a bank - it must verify that it is talking to the genuine site, rather than a malicious server silently attempting to intercept the sensitive communication. Put simply, the website hands over its SSL certificate, which is like an ID card, to the browser, which checks this document's authenticity using the trusted root certificate belonging to the company that sold the SSL cert. If this chain of trust checks out, the connection can be trusted and encrypted.

If Mozilla decides to reject TeliaSonera's new root certificate, Firefox users who visit a website that uses an SSL cert generated from the new root certificate will be strongly warned they are visiting an untrusted website. Website operators would therefore steer clear of buying SSL certificates from TeliaSonera.

There are more details on the secure certificate system here [PDF].

Mozilla has asked folks to collate specific details about TeliaSonera's internet and phone services which are allegedly being used by dictators to carry out surveillance.

A spokesperson for the ISP giant told The Reg it is "concerned" about Mozilla's course of action. It added that TeliaSonera has a "clean record" and, like "all operators", it honours requests for "lawful interception" by governments.

It is claimed Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan - where TeliaSonera operates subsidiaries or is heavily invested - are using the ISP's networks to eavesdrop on their citizens. TeliaSonera is the dominant telco in Sweden and Finland but also operates in Denmark, Spain and Russia. The company's operations in Eurasia are detailed here [PDF].

Mozilla's concern is that TeliaSonera has possibly issued certificates that allow hardline government servers to masquerade as legitimate websites - so-called man-in-the-middle (MitM) attacks - and decrypt web traffic. This alleged activity would contradict Mozilla's policy against "knowingly issuing certificates without the knowledge of the entities whose information is referenced in the certificates".

But a TeliaSonera representative told the Moz community that its new root certificate will "issue public [SSL] certificates only to Swedish and Finnish customers and citizens … All our processes and certificates are following Mozilla requirements and are validated yearly in a Webtrust audit".

The case has echoes of online security biz Trustwave, which generated a "skeleton key" SSL certificate so that an unnamed company could intercept and decrypt workers' HTTPS-encrypted communications. The revelation sparked calls for Firefox to stop accepting Trustwave-granted certificates.

The possibility of action against TeliaSonera was warmly welcomed by Washington DC-based privacy researcher and activist Chris Soghoian. He told The Reg the telco would "pay the price" for "getting into bed with some seriously nasty governments".

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.