https://bugzilla.mozilla.org/show_bug.cgi?id=1758773
I think we’ll see a lot more of this from authoritarian regimes in the future. For anyone unfamiliar with their existing distributed DPI architecture, google “Russia SORM”.
Some tech press coverage on this:
Cheers,
-- jra
Point of clarification: what's happening is that Russian web sites'
certificates are expiring and because of the sanctions, their CAs are
refusing to renew them. So, Russia has spun up their own CA which is,
of course, only present in Russian web browsers.
Regards,
Bill Herrin
Many nation's have a government CA.
The United States Government has its Federal Public Key Infrastructure, and Federal Bridge CA.
If you use DOD CAC ID's or FCEB PIV cards or other federal programs, your computer needs to have the FPKI CA's. You don't need the FPKI CA's for other purposes.
Some countries CA's issue for citizen and business certificates.
While X509 allows you to specify different CA's for different purposes, since the days of Netscape, browsers trust hundreds of root or bridged CA in its trust repository for anything.
Neither commercial or government CA's are inherently more (or less) trustworthy. There have been trouble with CA's of all types.
A X509 certificate is a big integer number, in a fancy wrapper. Its not a magical object.
I think the point Eric was trying to make is that while, indeed, the initial, stated goal might be to be able to issue certificates to replace those expired or expiring, there's just a jump/skip/hop to force installation of this root CA certificate in all browsers, or for Russia to block downloads of Firefox/Chrome from outside the Federation, and instead distribute versions which would already include this CA's certificate. And then MITM the whole population without their knowledge or approval.
GIVEN: savvy users might know how to delete the certificate, or others may teach them how, and how to download other CA's certificates (if the government was to ship only this certificate with the browser). Cat and mouse game. The North Korean and Chinese governments have been doing these kind of shenanigans for a long time - I am sure Russia could copy their model. And considering the tight media control they’re already exercising, I don't think it is crazy or paranoid to think Internet will be next. They seem to be already going down that path.
PS: opinions and statements, like the above, are my very own personal take or opinion. Nothing I say should be interpreted to be my employer's position, nor be supported by my employer.
> I think we'll see a lot more of this from authoritarian regimes in the
> future. For anyone unfamiliar with their existing distributed DPI
> architecture, google "Russia SORM".
Many nation's have a government CA.
The United States Government has its Federal Public Key Infrastructure,
and Federal Bridge CA.
FPKI Certification Authorities Overview
If you use DOD CAC ID's or FCEB PIV cards or other federal programs, your
computer needs to have the FPKI CA's. You don't need the FPKI CA's for
other purposes.
Some countries CA's issue for citizen and business certificates.
While X509 allows you to specify different CA's for different purposes,
since the days of Netscape, browsers trust hundreds of root or bridged CA
in its trust repository for anything.
Neither commercial or government CA's are inherently more (or less)
trustworthy. There have been trouble with CA's of all types.
A X509 certificate is a big integer number, in a fancy wrapper. Its not a
magical object.
Considering that 99% of non-technical end users of windows, macos, android, ios client devices have no idea what a root CA is, if an authoritarian regime can mandate the installation of a government-run root CA in the operating system CA trust store of all new devices sold at retail, as equipment is discarded/upgraded/replaced incrementally over a period of years, they could eventually have the capability of MITM of a significant portion of traffic.
Presumably with Apple ending shipment of new MacOS devices to Russia and retail sales of new devices, this wouldn’t be so much of an issue with MacOS. The process of re-imaging a modified MacOS install .DMG onto a “blank” macbook air or similar with a new root CA included would be non trivial, and hopefully might be impossible due to crypto signature required for a legit MacOS bootable install image.
Mozilla is the only browser vendor these days that maintains its own independen root CA storage for the browser. Chrome, Chromium, Safari, Edge, IE etc all use whatever root CAs are trusted by the operating system. If they can get Windows 10 client PCs pushed to retail with an image that includes their CA…
Clarification, Google Chrome has its own root CA revocation/CRL program. It does still rely on the operating system root CA trust store.
Using a typical intranet/RFC1918 IP space environment as an example, as you might see in any $BIGCORP, if you install your own choice of root CA in the Windows 10 root CA trust store, Chrome’s TLS1.2/TLS1.3 access to internal resources that are https only will work flawlessly without any security warnings. Very normal configuration these days. Used for things like DLP in banking/corporate environments or places where the gateway between internal IP space and the public world has a firewall in place with MITM ability for all TLS traffic.
On any windows 10 system with local admin privileges you can manually find this by opening MMC, go to add/remove snap-ins, select the certificates (local computer) snap-in, left side menu browse to trusted root certificates.
Likewise, my statements and opinions also do not represent any past, current or future employer.
While I understand the engineering and business reasons (fewer customer complaints and lawsuits), the underlying risk is due to the combined 'universial trust root CA' store in most TLS/SSL software and vendors.
About 10 years ago, while working on federal network security I tried to a trust list for USG agency use on USG I.T. equipment. Commercial vendors have different business reasons than governments for including or not including particular CA's. It was a deep rabbit hole, and I understand the details are much more complicated than this email can cover.
You'll notice there still isn't a CA trust list for use in the USG 
About 95% of the TLS certificates globally are ultimately signed by about
six CA organizations depending how you track ownership. (I know, multiple "abouts" in that sentence). The long tail of global business, means most operating systems ship (or after the installation autoupdate) with 100+ trusted certificate authorities by default.
According to Wikipedia:
"As of 24 August 2020, 147 root certificates, representing 52
organizations, are trusted in the Mozilla Firefox web browser,[9] 168
root certificates, representing 60 organizations, are trusted by
macOS,[10] and 255 root certificates, representing 101 organizations,
are trusted by Microsoft Windows.[11] As of Android 4.2 (Jelly Bean),
Android currently contains over 100 CAs that are updated with each
release.[12]"
Besides popular off-the-shelf systems, the rabbit hole goes even deeper with a dozen other CA trust lists needed for things like ePassports, trade and customs exchanges, pharma and medical, etc. And some widely used business software like Adobe and Oracle have their own trust lists.
If you are worried about a jump/skip/hop about authoritarian regimes gaining a foothold in TLS trust stores. That horse left the barn a long time ago. Have you looked at the list of CA's included by default in major open source and commercial vendor's TLS trust stores. Now re-consider those 'universal' trust lists from the point of view of 194 different countries around the world. Open source and commercial companies have been vulnerable to compromise too.
Its not a question of whether you trust one CA (e.g. the Russian Ministry of Digital Development CA), but whether everyone trusts all 100+ CA's in universal trust stores to sign everything/anything.
Again, I understand why companies and open source projects don't want to maintain different trust lists for different jurisdictions around the world. Like other localization requirements (currency, date & time formats, languages) maybe its time has come for localization requirements for TLS/SSL trust lists?
Its not a question of whether you trust one CA (e.g. the Russian Ministry of Digital Development CA), but whether everyone trusts all 100+ CA's in universal trust stores to sign everything/anything.
Right. Authorization is not a binary thing.
You don’t divide your world into the two classes “authorized” and “unauthorized”; you authorize for specific permissions.
Your house cleaners may get access to your home, but not to your bank account.
(I hear whispering: “Authorization? I thought we were talking about authentication.”.
Yes.
But we authenticate to authorize, and while we are doing this, we authorize (“trust”) to authenticate.
We need to qualify this “trust” with what the resulting authorization can do.)
Again, I understand why companies and open source projects don't want to maintain different trust lists for different jurisdictions around the world. Like other localization requirements (currency, date & time formats, languages) maybe its time has come for localization requirements for TLS/SSL trust lists?
Oh.
Your message started insightful.
Now you are back to binary authorization, just with a jurisdiction parameter going in.
Grüße, Carsten
Sean Donelan wrote:
You'll notice there still isn't a CA trust list for use in the USG
It merely means that PKI does not have its own security and relies
on trust for all the CAs (not only the root ones), which means PKI
is as secure as the plain Internet, which is secure if all the ISPs
are TPPs (trusted third parties).
If you can assume all the CAs are TPPs, you can also assume all the
ISPs are TPPs.
About 95% of the TLS certificates globally are ultimately signed by about
six CA organizations depending how you track ownership. (I know, multiple "abouts" in that sentence). The long tail of global business, means most operating systems ship (or after the installation autoupdate) with 100+ trusted certificate authorities by default.
The number of blindly trusted root CAs is irrelevant because PKI
with just one not-so-trustworthy root CA is bad enough.
PKI is just insecure.
Masataka Ohta
Masataka Ohta wrote:
Sean Donelan wrote:
You'll notice there still isn't a CA trust list for use in the USG
Wait one... so who issues all the certificates for DoD CAC cards?
Miles Fidelman
Mozilla is the only browser vendor these days that maintains its own independent root CA storage for the browser. Chrome, Chromium, Safari, Edge, IE etc all use whatever root CAs are trusted by the operating system. If they can get Windows 10 client PCs pushed to retail with an image that includes their CA…
Google Chrome has it’s own root program, and all vendors have been reliant on Mozilla’s setup for some time. They don’t just blindly trust the OS.
Public CAs are third-party introducers. Its like a friend of a friend of a friend sets you up on a blind date. Your friend's friend's friend may mean well, but your shouldn't rely on them for authentication or authorization of the trustworthiness of the person on the date.
Just read the disclaimers of liability in every public CA statement of practices. The CAs 'customer' is the purchaser of the certificate, not an end-user.
Private CAs are a different matter. Sometimes (frequently) people confuse their relationships between public CAs versus private CAs. Admitly public CA marketing departments encourage that confusion. The legal folks call it "puffery."
Netscape's original engineering goal was convincing the public it was safe to use credit cards for ecommerce sites on the mid-1990s Internet.
If you saw a padlock icon it was "safe" to enter your credicate number. Of course, people immediately started putting padlock icons on web pages 
Authentication/authorization about an end-user's relationship with a public CA is mostly mumbo-jumbo. The public also gets confused by the role of notary publics, bearer instruments, cashiers cheques, pen-and-paper signatures, and old fashion wax seals. Con artists have taken advantage of that misplaced trust for hundreds of years.