Link articolo originale

Archivio di tutti i clip: href=”http://clips.quintarelli.it”>clips.quintarelli.it
(Notebook di Evernote).

Logius: Staat der Nederlanden CA trust issue (WiV)

UNCONFIRMED

Assigned to

Kathleen Wilson

Get help with this page

Status

Product:

Component:

CA Certificate Mis-Issuance

Status:

UNCONFIRMED

People
(Reporter: cris.vanpelt, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags
(Not tracked)

Details
(Whiteboard: [ca-investigation])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Safari/604.1.38

Steps to reproduce:

Accept default trusted certificates.

Actual results:

Became vulnerable to MitM attacks.

The new “Wet op de inlichtingen- en veiligheidsdiensten (Wiv)” (Law for intelligence and security services) has been accepted by the Dutch Government. Provisions authorizing new powers for the dutch intelligence and security services will become active starting January 1st, 2018.

This revision of the law will authorize intelligence and security to intercept and analyze cable-bound (Internet) traffic, and will include far-reaching authorizations, including covert technical attacks, to facilitate their access to encrypted traffic.

Article 45 1.b, explicitly authorizes the use of “false keys” in third party systems to obtain access to systems and data.

The continued inclusion of the “Staat der Nederlanden” Certificate Authority, which is operated by PKIOverheid / Logius, a division of the Ministry of Interior and Kingdom Relations– the same ministry under which the AIVD intelligence service operates– in Mozilla products is therefore no longer appropriate.

The full text of the law may be found here www.aivd.nl/binaries/aivd_nl/documenten/kamerstukken/2017/08/17/publicatie-in-staatsblad-van-wiv-2017/20170817+Publicatie+Wiv+2017+in+Staatsblad.pdf

Expected results:

Revoke trust for Staat der Nederlanden CA. Allowing the Ministry of Interior and Kingdom Relations to continue operating a trusted CA in a country hosting a major Internet transit point would be detrimental to the security of all Mozilla users.