Feeds

Firefox 'death sentence' threat to TeliaSonera over gov spy claims

Mozilla may snub telecom giant's new SSL certs

Next gen security for virtualised datacentres

'Trusted CAs must not supply surveillance equipment to repressive regimes'

Kathleen Wilson, a program manager at Mozilla, claimed on the software foundation's newsgroups that there "appears to be evidence" TeliaSonera is providing software, services or devices to oppressive rulers that enable the interception and decryption of private, encrypted communications.

"Perhaps we can add policy that publicly trusted CAs must not supply surveillance equipment to repressive regimes - suggestions on wording and where to begin are welcome. In the meantime, we can still take action," she wrote.

Wilson continued:

All software companies (especially CAs) should know by now the risk involved in selling such software. In my opinion, it is very dangerous for any publicly trusted CA to also be in the business of selling software or services that could be used for communications interception and surveillance. It is even more obviously dangerous for a publicly trusted CA to be selling such services to oppressive regimes.

We requested an interview with Wilson, but she was not available to comment.

A TeliaSonera spokesperson told The Reg it has an "ongoing dialogue" with Mozilla, but added: "We are concerned about the Mozilla discussion. This is an industry issue that concerns all telecom operators. However we believe that a telco should be able to also have a CA business. As a CA we have a clean record and should be judged by that."

TeliaSonera is right to be concerned because what's at stake is the future of the company's SSL cert-selling business. The ISP giant already has two certs in Firefox's trusted list - so-called Class1 and Class2 CAs dating from 2001 - but they will expire in 2021, and the corporation wants to start selling SSL certificates using the new paperwork as soon as possible. The new root certificate also uses a stronger 4096-bit cryptographic key.

Firefox has a 20 per cent share of the global mobile and desktop web-browser market according to stats outfit StatCounter. By refusing to recognise TeliaSonera's new root certificate, Mozilla could block off a decent chunk of future business from the ISP. The intention of vocal Mozilla users is clear: to render TeliaSonera's root certificate toxic, and box off the carrier from the rest of the net.

Soghoian explained the implications: "Mozilla has 20 per cent of the browser market. No one will buy a HTTPS certificate that only works for 80 per cent of browsers, particularly when so many other certificate authorities exist whose certs are trusted by all of the browsers.

"If Mozilla kicks a CA out of the trust database, it is essentially a death sentence for the company - or at least, its certificate-selling business. No one is going to pay money for a certificate that generates warnings for millions of Firefox users."

Vote for the correct Eurovision entry ... or else

The catalyst for Mozilla's action appears to be growing claims that companies TeliaSonera owns or partially owns in Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan have allowed g-men to intercept users' voice and web communications on supposedly secure lines. Information gathered has then been used by repressive states to harass, arrest and torture citizens.

The allegations were made in an hour-long Swedish documentary by the news show Mission: Investigate.

The data intercepted includes mobile phone location tracking, phone calls, voicemails, emails and text messages, it is claimed. Human-rights activists, protesters, journalists, and members of political parties opposed to their rulers have been targeted, we're told.

Further reports from the Electronic Frontier Foundation claim folks were interrogated in Azerbaijan solely because they voted for rivals Armenia in the 2009 Eurovision song contest.

A TeliSonera official went on camera in the Mission Investigate documentary to defend the company. She said the telco cooperates with nations on a case-by-case basis based on who is asking for the information.

The documentary, however, also quotes an unnamed source who claims TeliaSonera's tentacles have built what are known as "systems for operative investigative activities" and hooked them into the ISP's networks; these tap into the telco's infrastructure, allowing spooks to dip into internet traffic as they wish whenever they want.

The interception centres first appeared in Russia and were operated by the Federal Security Service (FSB) - the post-Soviet successor to the KGB. The centres must be installed by law on the networks of the countries in question at the carrier's expense.

The Mission Investigate report claims the monitoring centres have been installed at TeliaSonera-backed companies Ucell in Uzebekistan, Kcell in Kazakhstan, and Azercell in Azerbaijan - and Life in Belarus, which TeliaSonera owns indirectly through Turkcell.

We asked TeliaSonera to clarify the situation. The company did not respond in time, but we will update this story as soon as we hear anything from the firm.

A spokeswoman for the giant told the Mozilla community:

As for all operators, TeliaSonera does not provide lawful interception surveillance services beyond those required by lawful legislation. The governments and security services of all countries in the world have the legal right to request information from operators and monitor network traffic for the purpose of fighting crime.

This is happening every day in all countries and applies to all operators. We are obliged to comply with the legislation of each country. However together we strive to develop common principles for handling situations where there is a conflict between human rights and national legislation.

This is not the first time TeliaSonera has been in trouble over its dealings in formerly Soviet Eurasian states. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.