Feeds

Firefox 'death sentence' threat to TeliaSonera over gov spy claims

Mozilla may snub telecom giant's new SSL certs

The Essential Guide to IT Transformation

'Trusted CAs must not supply surveillance equipment to repressive regimes'

Kathleen Wilson, a program manager at Mozilla, claimed on the software foundation's newsgroups that there "appears to be evidence" TeliaSonera is providing software, services or devices to oppressive rulers that enable the interception and decryption of private, encrypted communications.

"Perhaps we can add policy that publicly trusted CAs must not supply surveillance equipment to repressive regimes - suggestions on wording and where to begin are welcome. In the meantime, we can still take action," she wrote.

Wilson continued:

All software companies (especially CAs) should know by now the risk involved in selling such software. In my opinion, it is very dangerous for any publicly trusted CA to also be in the business of selling software or services that could be used for communications interception and surveillance. It is even more obviously dangerous for a publicly trusted CA to be selling such services to oppressive regimes.

We requested an interview with Wilson, but she was not available to comment.

A TeliaSonera spokesperson told The Reg it has an "ongoing dialogue" with Mozilla, but added: "We are concerned about the Mozilla discussion. This is an industry issue that concerns all telecom operators. However we believe that a telco should be able to also have a CA business. As a CA we have a clean record and should be judged by that."

TeliaSonera is right to be concerned because what's at stake is the future of the company's SSL cert-selling business. The ISP giant already has two certs in Firefox's trusted list - so-called Class1 and Class2 CAs dating from 2001 - but they will expire in 2021, and the corporation wants to start selling SSL certificates using the new paperwork as soon as possible. The new root certificate also uses a stronger 4096-bit cryptographic key.

Firefox has a 20 per cent share of the global mobile and desktop web-browser market according to stats outfit StatCounter. By refusing to recognise TeliaSonera's new root certificate, Mozilla could block off a decent chunk of future business from the ISP. The intention of vocal Mozilla users is clear: to render TeliaSonera's root certificate toxic, and box off the carrier from the rest of the net.

Soghoian explained the implications: "Mozilla has 20 per cent of the browser market. No one will buy a HTTPS certificate that only works for 80 per cent of browsers, particularly when so many other certificate authorities exist whose certs are trusted by all of the browsers.

"If Mozilla kicks a CA out of the trust database, it is essentially a death sentence for the company - or at least, its certificate-selling business. No one is going to pay money for a certificate that generates warnings for millions of Firefox users."

Vote for the correct Eurovision entry ... or else

The catalyst for Mozilla's action appears to be growing claims that companies TeliaSonera owns or partially owns in Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan have allowed g-men to intercept users' voice and web communications on supposedly secure lines. Information gathered has then been used by repressive states to harass, arrest and torture citizens.

The allegations were made in an hour-long Swedish documentary by the news show Mission: Investigate.

The data intercepted includes mobile phone location tracking, phone calls, voicemails, emails and text messages, it is claimed. Human-rights activists, protesters, journalists, and members of political parties opposed to their rulers have been targeted, we're told.

Further reports from the Electronic Frontier Foundation claim folks were interrogated in Azerbaijan solely because they voted for rivals Armenia in the 2009 Eurovision song contest.

A TeliSonera official went on camera in the Mission Investigate documentary to defend the company. She said the telco cooperates with nations on a case-by-case basis based on who is asking for the information.

The documentary, however, also quotes an unnamed source who claims TeliaSonera's tentacles have built what are known as "systems for operative investigative activities" and hooked them into the ISP's networks; these tap into the telco's infrastructure, allowing spooks to dip into internet traffic as they wish whenever they want.

The interception centres first appeared in Russia and were operated by the Federal Security Service (FSB) - the post-Soviet successor to the KGB. The centres must be installed by law on the networks of the countries in question at the carrier's expense.

The Mission Investigate report claims the monitoring centres have been installed at TeliaSonera-backed companies Ucell in Uzebekistan, Kcell in Kazakhstan, and Azercell in Azerbaijan - and Life in Belarus, which TeliaSonera owns indirectly through Turkcell.

We asked TeliaSonera to clarify the situation. The company did not respond in time, but we will update this story as soon as we hear anything from the firm.

A spokeswoman for the giant told the Mozilla community:

As for all operators, TeliaSonera does not provide lawful interception surveillance services beyond those required by lawful legislation. The governments and security services of all countries in the world have the legal right to request information from operators and monitor network traffic for the purpose of fighting crime.

This is happening every day in all countries and applies to all operators. We are obliged to comply with the legislation of each country. However together we strive to develop common principles for handling situations where there is a conflict between human rights and national legislation.

This is not the first time TeliaSonera has been in trouble over its dealings in formerly Soviet Eurasian states. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.