Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday January 28 2017, @07:48PM   Printer-friendly
from the Quis-custodiet-ipsos-custodes? dept.

Privacy International is criticizing Microsoft for its approval of the Thai military government's root certificate by default, which could enable spying on Thai citizens:

Privacy International, a UK-based nonprofit founded in 1990, released a report showing that Microsoft is the only operating system vendor to have approved the Thai military government's root certificate by default, which is managed by the Electronic Transaction Development Agency (ETDA). The nonprofit worries that the Thai government could now perform "man-in-the-middle" (MITM) attacks against Thai citizens. [...] In a statement to Tom's Hardware, Microsoft said that the Thai government obtained a root certificate in Windows only after passing the company's "extensive" approval process combined with an audit by BDO, a Canadian accounting and auditing firm.

Meanwhile, Google is launching its own root certificate authority:

The move, announced Thursday, will stop Google relying on an intermediate certificate authority (GIAG2) issued by a third party in its ongoing process of rolling out HTTPS across its products and services. "As we look forward to the evolution of both the web and our own products it is clear HTTPS will continue to be a foundational technology," Google explained in a blog post. "This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority."

The newly established Google Trust Services will operate these Certificate Authorities on behalf of Google and parent company Alphabet.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by Uncle_Al on Saturday January 28 2017, @08:13PM

    by Uncle_Al (1108) on Saturday January 28 2017, @08:13PM (#459930)

    oxymoron

    • (Score: 4, Informative) by Nerdfest on Saturday January 28 2017, @08:44PM

      by Nerdfest (80) on Saturday January 28 2017, @08:44PM (#459932)

      Google itself is quite trustworthy and has demonstrated an excellent security record ... as far as it's allowed within the government of its home country. They were pissed when they found the NSA was not merely giving them NSLs, but was also intercepting traffic on private networks between data centres (it's all encrypted now). Unless they manage this through a company outside the US, yeah, there's not a lot of value.

      Microsoft has been the US governments bitch for years. Private data and backdoors in exchange for big contracts. Not a big surprise to see them making things convenient for the Thai military.

      • (Score: 2) by frojack on Sunday January 29 2017, @01:13AM

        by frojack (1554) on Sunday January 29 2017, @01:13AM (#460009) Journal

        Google has also been flagging any server with a self signed cert as dangerous and even blocking access to them.

        All the while running their own self signed certificate.

        Now that Lets Encrypt is handing out cheap to free certs with auto update tools, Google decides to make their
        self signed certs some how "official" by becoming a Root Certificate Authority. Apparently its only for themselves
        and their own services.

        --
        No, you are mistaken. I've always had this sig.
        • (Score: 2) by Nerdfest on Sunday January 29 2017, @03:25PM

          by Nerdfest (80) on Sunday January 29 2017, @03:25PM (#460252)

          Got an example? I know both they and Mozilla pop up a very annoying warning, but I've never seen anything blocked.

  • (Score: 2, Informative) by Anonymous Coward on Saturday January 28 2017, @08:45PM

    by Anonymous Coward on Saturday January 28 2017, @08:45PM (#459933)

    https://www.proper.com/root-cert-problem/ [proper.com]

    In the default configuration for Windows XP with Service Pack 2 (SP2), if a user removes one of the trusted root certificates, and the certifier who issued that root certificate is trusted by Microsoft, Windows will silently add the root certificate back into the user's store and use the original trust settings. This prevents a Windows XP SP2 user from declaring a Microsoft-trusted certification authority as untrusted unless the user turns off the Windows component that controls this feature.

    Note: Windows Vista works quite differently than Windows XP SP2 in this regard, and has significant but different problems with Microsoft-trusted root certificates: the user cannot mark them as untrusted. The differences between the two versions of Windows are covered in the last section.

    I believe such issues still apply to more recent versions of Windows.

    • (Score: 2) by Nerdfest on Saturday January 28 2017, @11:31PM

      by Nerdfest (80) on Saturday January 28 2017, @11:31PM (#459968)

      So basically, they try to ensure they can MITM you for the NSA. Nice.

  • (Score: 3, Interesting) by darkfeline on Saturday January 28 2017, @10:21PM

    by darkfeline (1030) on Saturday January 28 2017, @10:21PM (#459952) Homepage

    One nice thing about Google running a CA is that they're much less likely to be blatantly incompetent, like many of our current CAs.

    However, because they're much more competent, there's a good chance they will end up owning/dominating yet another large piece of the Internet, so...

    However however, it sounds like from TFS that this CA is primarily for issuing certs for Google/Alphabet, so it's not going to replace Let's Encrypt, for example.

    Also, since Google is using it for their own machines, I imagine that they have a vested interest in NOT leaking or otherwise compromising their keys to governments and other entities. Last thing they need is the CIA/FBI/DHS losing their copy of the key and getting their entire infrastructure pwned by some skiddie.

    --
    Join the SDF Public Access UNIX System today!
  • (Score: 0) by Anonymous Coward on Saturday January 28 2017, @10:49PM

    by Anonymous Coward on Saturday January 28 2017, @10:49PM (#459960)

    The current Certificate Authority system is broken anyway. You can't trust anyone who is potentially subject to "National Security Letter" to handle your security for you (e.g. to NOT issue keys under their CA which can be used to conduct man-in-the-middle attacks against you which most people cannot detect).

    Certificate pinning is a temporary work-around, but still almost useless due to the huge number of false-positives generated by the likes of Cloudflare, Google, Twitter, etc., and site owners' tendancy to intentionally change their own certificates without announcing it. Running your own CA (at least when you're a nobody who can't insert your own CA certs into major browsers' defaults) is also problematic due to Firefox and Google foolish hysteria over self-signed certificates.

    Proper solutions are being investigated and built, with some of the more exciting ones being detailed on youbroketheinternet.org [youbroketheinternet.org].