HTTPS

Mozilla engineers are discussing plans to remove support for a state-operated Dutch TLS/HTTPS provider after the Dutch government has voted a new law that grants local authorities the power to intercept Internet communications using "false keys."

If the plan is approved, Firefox will not trust certificates issued by the Staat der Nederlanden (State of the Netherlands) Certificate  Authority (CA).

This CA is operated by PKIOverheid/Logius, a division of the Ministry of Interior and Kingdom Relations, which is the same ministry that oversees the AIVD intelligence service.

New law givers Dutch govt power to intercept Internet traffic

What's got Mozilla engineers scared is the new "Wet op de inlichtingen- en veiligheidsdiensten (Wiv)" — translated to Information and Security Services Act — a new law voted this year that will come into effect at the start of 2018.

This new law gives Dutch authorities the powers to intercept and analyze Internet traffic. While other countries have similar laws, what makes this one special is that authorities will have authorization to carry out covert technical attacks to access encrypted traffic.

Such covert technical capabilities include the use of "false keys," as mentioned in Article 45 1.b, a broad term that includes TLS certificates.

Fears arise of mass Dutch Internet surveillance

Mozilla fears that Dutch authorities will issue certificates through the local state-operated CA that will allow them to set up SSL proxies to carry out Man-in-the-Middle (MitM) attacks on all users in a dragnet-like Internet surveillance operation.

By distrusting the certificates, Firefox will hinder interception attempts by showing SSL cert errors for those connections, drawing users' attention that something might be afoot.

"Allowing the Ministry of Interior and Kingdom Relations to continue operating a trusted CA in a country hosting a major Internet transit point would be detrimental to the security of all Mozilla users," said Chris van Pelt, the user who reported the issue to Mozilla three weeks ago.

Chances are high that both Mozilla and all the other major browser vendors will distrust the CA, albeit the process will be a slow one.

Image credits: Wikimedia Foundation