SoylentNews is people
SoylentNews
from the Quis-custodiet-ipsos-custodes? dept.
Privacy International is criticizing Microsoft for its approval of the Thai military government's root certificate by default, which could enable spying on Thai citizens:
Privacy International, a UK-based nonprofit founded in 1990, released a report showing that Microsoft is the only operating system vendor to have approved the Thai military government's root certificate by default, which is managed by the Electronic Transaction Development Agency (ETDA). The nonprofit worries that the Thai government could now perform "man-in-the-middle" (MITM) attacks against Thai citizens. [...] In a statement to Tom's Hardware, Microsoft said that the Thai government obtained a root certificate in Windows only after passing the company's "extensive" approval process combined with an audit by BDO, a Canadian accounting and auditing firm.
Meanwhile, Google is launching its own root certificate authority:
The move, announced Thursday, will stop Google relying on an intermediate certificate authority (GIAG2) issued by a third party in its ongoing process of rolling out HTTPS across its products and services. "As we look forward to the evolution of both the web and our own products it is clear HTTPS will continue to be a foundational technology," Google explained in a blog post. "This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority."
The newly established Google Trust Services will operate these Certificate Authorities on behalf of Google and parent company Alphabet.
(Score: 2, Insightful) by Uncle_Al on Saturday January 28 2017, @08:13PM
oxymoron
(Score: 4, Informative) by Nerdfest on Saturday January 28 2017, @08:44PM
Google itself is quite trustworthy and has demonstrated an excellent security record ... as far as it's allowed within the government of its home country. They were pissed when they found the NSA was not merely giving them NSLs, but was also intercepting traffic on private networks between data centres (it's all encrypted now). Unless they manage this through a company outside the US, yeah, there's not a lot of value.
Microsoft has been the US governments bitch for years. Private data and backdoors in exchange for big contracts. Not a big surprise to see them making things convenient for the Thai military.
(Score: 2) by frojack on Sunday January 29 2017, @01:13AM
Google has also been flagging any server with a self signed cert as dangerous and even blocking access to them.
All the while running their own self signed certificate.
Now that Lets Encrypt is handing out cheap to free certs with auto update tools, Google decides to make their
self signed certs some how "official" by becoming a Root Certificate Authority. Apparently its only for themselves
and their own services.
No, you are mistaken. I've always had this sig.
(Score: 2) by Nerdfest on Sunday January 29 2017, @03:25PM
Got an example? I know both they and Mozilla pop up a very annoying warning, but I've never seen anything blocked.