Logius: Staat der Nederlanden CA trust issue (WiV)
Get help with this page
CA Certificate Mis-Issuance
(Reporter: cris.vanpelt, Assigned: Kathleen Wilson)
Firefox Tracking Flags
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Safari/604.1.38
Steps to reproduce:
Accept default trusted certificates.
Became vulnerable to MitM attacks.
The new “Wet op de inlichtingen- en veiligheidsdiensten (Wiv)” (Law for intelligence and security services) has been accepted by the Dutch Government. Provisions authorizing new powers for the dutch intelligence and security services will become active starting January 1st, 2018.
This revision of the law will authorize intelligence and security to intercept and analyze cable-bound (Internet) traffic, and will include far-reaching authorizations, including covert technical attacks, to facilitate their access to encrypted traffic.
Article 45 1.b, explicitly authorizes the use of “false keys” in third party systems to obtain access to systems and data.
The continued inclusion of the “Staat der Nederlanden” Certificate Authority, which is operated by PKIOverheid / Logius, a division of the Ministry of Interior and Kingdom Relations– the same ministry under which the AIVD intelligence service operates– in Mozilla products is therefore no longer appropriate.
The full text of the law may be found here www.aivd.nl/binaries/aivd_nl/documenten/kamerstukken/2017/08/17/publicatie-in-staatsblad-van-wiv-2017/20170817+Publicatie+Wiv+2017+in+Staatsblad.pdf
Revoke trust for Staat der Nederlanden CA. Allowing the Ministry of Interior and Kingdom Relations to continue operating a trusted CA in a country hosting a major Internet transit point would be detrimental to the security of all Mozilla users.