Feeds

Firefox 'death sentence' threat to TeliaSonera over gov spy claims

Mozilla may snub telecom giant's new SSL certs

Top 5 reasons to deploy VMware with Tegile

'Trusted CAs must not supply surveillance equipment to repressive regimes'

Kathleen Wilson, a program manager at Mozilla, claimed on the software foundation's newsgroups that there "appears to be evidence" TeliaSonera is providing software, services or devices to oppressive rulers that enable the interception and decryption of private, encrypted communications.

"Perhaps we can add policy that publicly trusted CAs must not supply surveillance equipment to repressive regimes - suggestions on wording and where to begin are welcome. In the meantime, we can still take action," she wrote.

Wilson continued:

All software companies (especially CAs) should know by now the risk involved in selling such software. In my opinion, it is very dangerous for any publicly trusted CA to also be in the business of selling software or services that could be used for communications interception and surveillance. It is even more obviously dangerous for a publicly trusted CA to be selling such services to oppressive regimes.

We requested an interview with Wilson, but she was not available to comment.

A TeliaSonera spokesperson told The Reg it has an "ongoing dialogue" with Mozilla, but added: "We are concerned about the Mozilla discussion. This is an industry issue that concerns all telecom operators. However we believe that a telco should be able to also have a CA business. As a CA we have a clean record and should be judged by that."

TeliaSonera is right to be concerned because what's at stake is the future of the company's SSL cert-selling business. The ISP giant already has two certs in Firefox's trusted list - so-called Class1 and Class2 CAs dating from 2001 - but they will expire in 2021, and the corporation wants to start selling SSL certificates using the new paperwork as soon as possible. The new root certificate also uses a stronger 4096-bit cryptographic key.

Firefox has a 20 per cent share of the global mobile and desktop web-browser market according to stats outfit StatCounter. By refusing to recognise TeliaSonera's new root certificate, Mozilla could block off a decent chunk of future business from the ISP. The intention of vocal Mozilla users is clear: to render TeliaSonera's root certificate toxic, and box off the carrier from the rest of the net.

Soghoian explained the implications: "Mozilla has 20 per cent of the browser market. No one will buy a HTTPS certificate that only works for 80 per cent of browsers, particularly when so many other certificate authorities exist whose certs are trusted by all of the browsers.

"If Mozilla kicks a CA out of the trust database, it is essentially a death sentence for the company - or at least, its certificate-selling business. No one is going to pay money for a certificate that generates warnings for millions of Firefox users."

Vote for the correct Eurovision entry ... or else

The catalyst for Mozilla's action appears to be growing claims that companies TeliaSonera owns or partially owns in Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan have allowed g-men to intercept users' voice and web communications on supposedly secure lines. Information gathered has then been used by repressive states to harass, arrest and torture citizens.

The allegations were made in an hour-long Swedish documentary by the news show Mission: Investigate.

The data intercepted includes mobile phone location tracking, phone calls, voicemails, emails and text messages, it is claimed. Human-rights activists, protesters, journalists, and members of political parties opposed to their rulers have been targeted, we're told.

Further reports from the Electronic Frontier Foundation claim folks were interrogated in Azerbaijan solely because they voted for rivals Armenia in the 2009 Eurovision song contest.

A TeliSonera official went on camera in the Mission Investigate documentary to defend the company. She said the telco cooperates with nations on a case-by-case basis based on who is asking for the information.

The documentary, however, also quotes an unnamed source who claims TeliaSonera's tentacles have built what are known as "systems for operative investigative activities" and hooked them into the ISP's networks; these tap into the telco's infrastructure, allowing spooks to dip into internet traffic as they wish whenever they want.

The interception centres first appeared in Russia and were operated by the Federal Security Service (FSB) - the post-Soviet successor to the KGB. The centres must be installed by law on the networks of the countries in question at the carrier's expense.

The Mission Investigate report claims the monitoring centres have been installed at TeliaSonera-backed companies Ucell in Uzebekistan, Kcell in Kazakhstan, and Azercell in Azerbaijan - and Life in Belarus, which TeliaSonera owns indirectly through Turkcell.

We asked TeliaSonera to clarify the situation. The company did not respond in time, but we will update this story as soon as we hear anything from the firm.

A spokeswoman for the giant told the Mozilla community:

As for all operators, TeliaSonera does not provide lawful interception surveillance services beyond those required by lawful legislation. The governments and security services of all countries in the world have the legal right to request information from operators and monitor network traffic for the purpose of fighting crime.

This is happening every day in all countries and applies to all operators. We are obliged to comply with the legislation of each country. However together we strive to develop common principles for handling situations where there is a conflict between human rights and national legislation.

This is not the first time TeliaSonera has been in trouble over its dealings in formerly Soviet Eurasian states. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.