Mozilla engineers are discussing plans to remove support for a state-operated Dutch TLS/HTTPS provider after the Dutch government has voted a new law that grants local authorities the power to intercept Internet communications using "false keys."
If the plan is approved, Firefox will not trust certificates issued by the Staat der Nederlanden (State of the Netherlands) Certificate Authority (CA).
This CA is operated by PKIOverheid/Logius, a division of the Ministry of Interior and Kingdom Relations, which is the same ministry that oversees the AIVD intelligence service.
New law givers Dutch govt power to intercept Internet traffic
What's got Mozilla engineers scared is the new "Wet op de inlichtingen- en veiligheidsdiensten (Wiv)" — translated to Information and Security Services Act — a new law voted this year that will come into effect at the start of 2018.
This new law gives Dutch authorities the powers to intercept and analyze Internet traffic. While other countries have similar laws, what makes this one special is that authorities will have authorization to carry out covert technical attacks to access encrypted traffic.
Such covert technical capabilities include the use of "false keys," as mentioned in Article 45 1.b, a broad term that includes TLS certificates.
Fears arise of mass Dutch Internet surveillance
Mozilla fears that Dutch authorities will issue certificates through the local state-operated CA that will allow them to set up SSL proxies to carry out Man-in-the-Middle (MitM) attacks on all users in a dragnet-like Internet surveillance operation.
By distrusting the certificates, Firefox will hinder interception attempts by showing SSL cert errors for those connections, drawing users' attention that something might be afoot.
"Allowing the Ministry of Interior and Kingdom Relations to continue operating a trusted CA in a country hosting a major Internet transit point would be detrimental to the security of all Mozilla users," said Chris van Pelt, the user who reported the issue to Mozilla three weeks ago.
Chances are high that both Mozilla and all the other major browser vendors will distrust the CA, albeit the process will be a slow one.
Image credits: Wikimedia Foundation
Picus Blue Report 2025 is Here: 2X increase in password cracking
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
Comments
jack_alexander2 - 7 years ago
The use of dystopia is not a proper use of the word when it comes to the Netherlands. They aren't down-trodden and filled with fear.
I would still prefer them on my VPN since they are NOT part of the '14 eyes' agreement among many nations to spy on its and other citizens.
This time Mozilla has gone too far. Just like the newest version of their browser. I am positive that it has telemetry spying on users.
thegeekkid - 7 years ago
What is your source on that suspicion? I'll do an investigation on it tonight, but if you had hard evidence, it might save me some time. ;)
Sajo8 - 7 years ago
If you download the Beta/Nightly(I'm not sure about Dev version) firefox, then you agree for automatic telemetry to be sent. It's written right under the download, no need to investigate the ToS or privacy policy
xvilo - 7 years ago
Well, the Dutch law explicitly states with the use of fake keys. Why would want to trust a government controlled CA issuing all kinds of certificates?
Also, it's not Mozilla's idea. But it has been proposed as bug. Which I, personally, full support.
thegeekkid - 7 years ago
@jack_alexander2, sorry, I ended up needing to push it off until this evening. I ran a investigation on the latest release of FireFox (56.0.2), and did not see any telemetry being sent (assuming you turned off the option to share data with FireFox - which needing to do so is fairly standard across any browser).
The closest that I saw was FireFox checking for updates, downloading the initial settings (I did a clean install), and checking to see if there was a captive portal. If you wish to verify my results, you can download my Burpsuite project here: https://bscc.support/files/investigations/mozilla/firefox/FireFox_investigation_11-1-17.burp
Because I see no evidence of telemtry being collected, I'm calling BS unless you can come up with any actual evidence.
Occasional - 7 years ago
"assuming you turned off the option to share data with FireFox - which needing to do so is fairly standard across any browser"
Last year, and start of this, MS was overriding user privacy settings in Win10 with each update. I didn't see any notices or comments, but they seem to have stopped the practice as of this summer (still run Shutup10 after updates, anyway). Perhaps Mozilla is doing something similar, but with the browser. Only noticed MS sneak, as it clobbered resources on older boxes upgraded to Win10.
thegeekkid - 7 years ago
Honestly, even if you didn't turn off that data, compared to certain other browsers *cough cough Chrome cough cough*, the information shared really isn't all that bad (https://www.mozilla.org/en-US/privacy/firefox/). That being said, for someone concerned about privacy to that extent, they should be in the habit of checking their privacy settings anyway.
And ya, I saw people claiming that with MS; but I never personally experienced it. Granted, when I use Windows, I use pro; so I control the updates manually and that might have something to do with it, but I personally never experienced it. At the end of the day, depending on how concerned you are with privacy, you shouldn't be using Windows or OSx (I would argue Ubuntu as well... but... I'm a purist. Lol!).
Occasional - 7 years ago
Issue was on PCs using Pro and Enterprise. I did see that resource hogging was worse with Chrome (brought to a crawl). Traced with Task manager to communication processes (chatter with MS).
Shutup10 not only provided a fix, it lists many privacy and security options I would not have thought of (and are not options on Win10 install). Not using Windows, is not an option for many of us.
Whether browser or OS, an update should not reset security and privacy option selections.