Original URL: http://www.theregister.co.uk/2013/04/16/mozilla_threatens_teliasonera/

Firefox 'death sentence' threat to TeliaSonera over gov spy claims

Mozilla may snub telecom giant's new SSL certs

By Gavin Clarke

Posted in Security, 16th April 2013 10:19 GMT

Firefox-maker Mozilla could issue a "death sentence" to TeliaSonera's SSL business over allegations the telecoms giant sold Orwellian surveillance tech to dictators.

The punishment would be an embarrassing blow to the company: it would effectively cut off HTTPS-encrypted websites verified by TeliaSonera from Firefox users, who make up one-fifth of the planet's web surfers.

Crucially, it will be seen as a tough stance against corporations that trade with authoritarian states.

TeliaSonera, which has globe-spanning operations and sells SSL certificates to Nordic websites, asked Mozilla to include its new root certificate in Firefox's list of trusted Certificate Authorities (CAs).

Mozilla, as a matter of routine, asked its community of users for their views on the request - but the software foundation was told a Swedish documentary had investigated claims that TeliaSonera was selling spooks technology to snoop on citizens' private communications. That alone may be enough to persuade Moz staff to refuse the new root certificate.

When a browser visits a HTTPS website - such as Google, Amazon or a bank - it must verify that it is talking to the genuine site, rather than a malicious server silently attempting to intercept the sensitive communication. Put simply, the website hands over its SSL certificate, which is like an ID card, to the browser, which checks this document's authenticity using the trusted root certificate belonging to the company that sold the SSL cert. If this chain of trust checks out, the connection can be trusted and encrypted.

If Mozilla decides to reject TeliaSonera's new root certificate, Firefox users who visit a website that uses an SSL cert generated from the new root certificate will be strongly warned they are visiting an untrusted website. Website operators would therefore steer clear of buying SSL certificates from TeliaSonera.

There are more details on the secure certificate system here [PDF].

Mozilla has asked folks to collate specific details about TeliaSonera's internet and phone services which are allegedly being used by dictators to carry out surveillance.

A spokesperson for the ISP giant told The Reg it is "concerned" about Mozilla's course of action. It added that TeliaSonera has a "clean record" and, like "all operators", it honours requests for "lawful interception" by governments.

It is claimed Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan - where TeliaSonera operates subsidiaries or is heavily invested - are using the ISP's networks to eavesdrop on their citizens. TeliaSonera is the dominant telco in Sweden and Finland but also operates in Denmark, Spain and Russia. The company's operations in Eurasia are detailed here [PDF].

Mozilla's concern is that TeliaSonera has possibly issued certificates that allow hardline government servers to masquerade as legitimate websites - so-called man-in-the-middle (MitM) attacks - and decrypt web traffic. This alleged activity would contradict Mozilla's policy against "knowingly issuing certificates without the knowledge of the entities whose information is referenced in the certificates".

But a TeliaSonera representative told the Moz community that its new root certificate will "issue public [SSL] certificates only to Swedish and Finnish customers and citizens … All our processes and certificates are following Mozilla requirements and are validated yearly in a Webtrust audit".

The case has echoes of online security biz Trustwave, which generated a "skeleton key" SSL certificate so that an unnamed company could intercept and decrypt workers' HTTPS-encrypted communications. The revelation sparked calls for Firefox to stop accepting Trustwave-granted certificates.

The possibility of action against TeliaSonera was warmly welcomed by Washington DC-based privacy researcher and activist Chris Soghoian. He told The Reg the telco would "pay the price" for "getting into bed with some seriously nasty governments".

'Trusted CAs must not supply surveillance equipment to repressive regimes'

Kathleen Wilson, a program manager at Mozilla, claimed on the software foundation's newsgroups that there "appears to be evidence" TeliaSonera is providing software, services or devices to oppressive rulers that enable the interception and decryption of private, encrypted communications.

"Perhaps we can add policy that publicly trusted CAs must not supply surveillance equipment to repressive regimes - suggestions on wording and where to begin are welcome. In the meantime, we can still take action," she wrote.

Wilson continued:

All software companies (especially CAs) should know by now the risk involved in selling such software. In my opinion, it is very dangerous for any publicly trusted CA to also be in the business of selling software or services that could be used for communications interception and surveillance. It is even more obviously dangerous for a publicly trusted CA to be selling such services to oppressive regimes.

We requested an interview with Wilson, but she was not available to comment.

A TeliaSonera spokesperson told The Reg it has an "ongoing dialogue" with Mozilla, but added: "We are concerned about the Mozilla discussion. This is an industry issue that concerns all telecom operators. However we believe that a telco should be able to also have a CA business. As a CA we have a clean record and should be judged by that."

TeliaSonera is right to be concerned because what's at stake is the future of the company's SSL cert-selling business. The ISP giant already has two certs in Firefox's trusted list - so-called Class1 and Class2 CAs dating from 2001 - but they will expire in 2021, and the corporation wants to start selling SSL certificates using the new paperwork as soon as possible. The new root certificate also uses a stronger 4096-bit cryptographic key.

Firefox has a 20 per cent share of the global mobile and desktop web-browser market according to stats outfit StatCounter. By refusing to recognise TeliaSonera's new root certificate, Mozilla could block off a decent chunk of future business from the ISP. The intention of vocal Mozilla users is clear: to render TeliaSonera's root certificate toxic, and box off the carrier from the rest of the net.

Soghoian explained the implications: "Mozilla has 20 per cent of the browser market. No one will buy a HTTPS certificate that only works for 80 per cent of browsers, particularly when so many other certificate authorities exist whose certs are trusted by all of the browsers.

"If Mozilla kicks a CA out of the trust database, it is essentially a death sentence for the company - or at least, its certificate-selling business. No one is going to pay money for a certificate that generates warnings for millions of Firefox users."

Vote for the correct Eurovision entry ... or else

The catalyst for Mozilla's action appears to be growing claims that companies TeliaSonera owns or partially owns in Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan have allowed g-men to intercept users' voice and web communications on supposedly secure lines. Information gathered has then been used by repressive states to harass, arrest and torture citizens.

The allegations were made in an hour-long Swedish documentary by the news show Mission: Investigate.

The data intercepted includes mobile phone location tracking, phone calls, voicemails, emails and text messages, it is claimed. Human-rights activists, protesters, journalists, and members of political parties opposed to their rulers have been targeted, we're told.

Further reports from the Electronic Frontier Foundation claim folks were interrogated in Azerbaijan solely because they voted for rivals Armenia in the 2009 Eurovision song contest.

A TeliSonera official went on camera in the Mission Investigate documentary to defend the company. She said the telco cooperates with nations on a case-by-case basis based on who is asking for the information.

The documentary, however, also quotes an unnamed source who claims TeliaSonera's tentacles have built what are known as "systems for operative investigative activities" and hooked them into the ISP's networks; these tap into the telco's infrastructure, allowing spooks to dip into internet traffic as they wish whenever they want.

The interception centres first appeared in Russia and were operated by the Federal Security Service (FSB) - the post-Soviet successor to the KGB. The centres must be installed by law on the networks of the countries in question at the carrier's expense.

The Mission Investigate report claims the monitoring centres have been installed at TeliaSonera-backed companies Ucell in Uzebekistan, Kcell in Kazakhstan, and Azercell in Azerbaijan - and Life in Belarus, which TeliaSonera owns indirectly through Turkcell.

We asked TeliaSonera to clarify the situation. The company did not respond in time, but we will update this story as soon as we hear anything from the firm.

A spokeswoman for the giant told the Mozilla community:

As for all operators, TeliaSonera does not provide lawful interception surveillance services beyond those required by lawful legislation. The governments and security services of all countries in the world have the legal right to request information from operators and monitor network traffic for the purpose of fighting crime.

This is happening every day in all countries and applies to all operators. We are obliged to comply with the legislation of each country. However together we strive to develop common principles for handling situations where there is a conflict between human rights and national legislation.

This is not the first time TeliaSonera has been in trouble over its dealings in formerly Soviet Eurasian states. ®