Feeds

Firefox 'death sentence' threat to TeliaSonera over gov spy claims

Mozilla may snub telecom giant's new SSL certs

The Power of One eBook: Top reasons to choose HP BladeSystem

'Trusted CAs must not supply surveillance equipment to repressive regimes'

Kathleen Wilson, a program manager at Mozilla, claimed on the software foundation's newsgroups that there "appears to be evidence" TeliaSonera is providing software, services or devices to oppressive rulers that enable the interception and decryption of private, encrypted communications.

"Perhaps we can add policy that publicly trusted CAs must not supply surveillance equipment to repressive regimes - suggestions on wording and where to begin are welcome. In the meantime, we can still take action," she wrote.

Wilson continued:

All software companies (especially CAs) should know by now the risk involved in selling such software. In my opinion, it is very dangerous for any publicly trusted CA to also be in the business of selling software or services that could be used for communications interception and surveillance. It is even more obviously dangerous for a publicly trusted CA to be selling such services to oppressive regimes.

We requested an interview with Wilson, but she was not available to comment.

A TeliaSonera spokesperson told The Reg it has an "ongoing dialogue" with Mozilla, but added: "We are concerned about the Mozilla discussion. This is an industry issue that concerns all telecom operators. However we believe that a telco should be able to also have a CA business. As a CA we have a clean record and should be judged by that."

TeliaSonera is right to be concerned because what's at stake is the future of the company's SSL cert-selling business. The ISP giant already has two certs in Firefox's trusted list - so-called Class1 and Class2 CAs dating from 2001 - but they will expire in 2021, and the corporation wants to start selling SSL certificates using the new paperwork as soon as possible. The new root certificate also uses a stronger 4096-bit cryptographic key.

Firefox has a 20 per cent share of the global mobile and desktop web-browser market according to stats outfit StatCounter. By refusing to recognise TeliaSonera's new root certificate, Mozilla could block off a decent chunk of future business from the ISP. The intention of vocal Mozilla users is clear: to render TeliaSonera's root certificate toxic, and box off the carrier from the rest of the net.

Soghoian explained the implications: "Mozilla has 20 per cent of the browser market. No one will buy a HTTPS certificate that only works for 80 per cent of browsers, particularly when so many other certificate authorities exist whose certs are trusted by all of the browsers.

"If Mozilla kicks a CA out of the trust database, it is essentially a death sentence for the company - or at least, its certificate-selling business. No one is going to pay money for a certificate that generates warnings for millions of Firefox users."

Vote for the correct Eurovision entry ... or else

The catalyst for Mozilla's action appears to be growing claims that companies TeliaSonera owns or partially owns in Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan have allowed g-men to intercept users' voice and web communications on supposedly secure lines. Information gathered has then been used by repressive states to harass, arrest and torture citizens.

The allegations were made in an hour-long Swedish documentary by the news show Mission: Investigate.

The data intercepted includes mobile phone location tracking, phone calls, voicemails, emails and text messages, it is claimed. Human-rights activists, protesters, journalists, and members of political parties opposed to their rulers have been targeted, we're told.

Further reports from the Electronic Frontier Foundation claim folks were interrogated in Azerbaijan solely because they voted for rivals Armenia in the 2009 Eurovision song contest.

A TeliSonera official went on camera in the Mission Investigate documentary to defend the company. She said the telco cooperates with nations on a case-by-case basis based on who is asking for the information.

The documentary, however, also quotes an unnamed source who claims TeliaSonera's tentacles have built what are known as "systems for operative investigative activities" and hooked them into the ISP's networks; these tap into the telco's infrastructure, allowing spooks to dip into internet traffic as they wish whenever they want.

The interception centres first appeared in Russia and were operated by the Federal Security Service (FSB) - the post-Soviet successor to the KGB. The centres must be installed by law on the networks of the countries in question at the carrier's expense.

The Mission Investigate report claims the monitoring centres have been installed at TeliaSonera-backed companies Ucell in Uzebekistan, Kcell in Kazakhstan, and Azercell in Azerbaijan - and Life in Belarus, which TeliaSonera owns indirectly through Turkcell.

We asked TeliaSonera to clarify the situation. The company did not respond in time, but we will update this story as soon as we hear anything from the firm.

A spokeswoman for the giant told the Mozilla community:

As for all operators, TeliaSonera does not provide lawful interception surveillance services beyond those required by lawful legislation. The governments and security services of all countries in the world have the legal right to request information from operators and monitor network traffic for the purpose of fighting crime.

This is happening every day in all countries and applies to all operators. We are obliged to comply with the legislation of each country. However together we strive to develop common principles for handling situations where there is a conflict between human rights and national legislation.

This is not the first time TeliaSonera has been in trouble over its dealings in formerly Soviet Eurasian states. ®

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.