CAT | Internet
The South China Morning Post reports that the ban on Facebook, Twitter, the New York Times, and many other sites, will be lifted, but only in the Shanghai free-trade zone.
The information came from anonymous government sources within China. The purpose is to make the zone more attractive to foreign companies and workers who expect open Internet access. The sources say that the more open access may be expanded into the surrounding territory if the experiment is successful.
It will be interesting to see if this actually comes to pass.
Two questions occur to me. First, will the free-trade zone be considered to be outside the firewall, and hard to access from within the rest of China? Second, is this as much about surveillance of activity on those websites as it is about providing free access?
Another from the “if the data exists, it will get compromised” file.
This article from the Washington Post talks about an interesting case of counter surveillance hacking.
In 2010, Google disclosed that Chinese hackers breached Google’s servers. What only recently came to light was that one of the things compromised was a database containing information about government requests for email records.
Former government officials speculate that they may have been looking for indications of which of their agents had been discovered. If there were records of US government requests for information on any of their agents, it would be evidence that those agents had been exposed. This would allow the Chinese to shut down operations to prevent further exposure and to get those agents out of the country before they could be picked up.
I had not thought about subpoenas and national security letters being a counter intelligence treasure trove, but it makes perfect sense.
Because Google / Gmail are so widely used, they present a huge and valuable target for attackers. Good information on almost any target is likely to live within their databases.
Wired reports on a move by the Japanese government to ask websites to block users who “abuse” TOR.
I assume that TOR is being used as an example, and it would apply to any secure privacy tool.
The interesting question is whether this is simply a foot in the door on the way to banning anonymity, or at least making its use evidence of evil intent.
Currently, public privacy services make little effort to hide themselves. Traffic from them is easily detected as being from an anonymity system. If blocking becomes common, many systems may start implementing more effective stealth systems, which would make filtering anonymity for security reasons even harder.
The Register has an article on Firefox black listing an SSL Certificate authority.
Certificates and certificate authorities are the underpinnings of our secure web infrastructure.
When you see the lock on your browser, it means that the session is encrypted and the site has presented a valid site certificate (so it is who it claims to be).
That site certificate is signed by one of many certificate authorities.
I see 86 certificate issuing authorities in my Firefox now.
Many of those certificate authorities have multiple signing certificates.
Additionally the certificate authorities can delegate to subordinate certificate authorities to sign site certificates.
Any certificate signed by any of these authorities or subordinate authorities is recognized as valid.
These entities are located all over the world, many under the control of oppressive governments (however you define that).
Certificate authorities can create certificates to enable man in the middle attacks, by signing keys purporting to be for a given website, but actually created and held by some other entity.
There are plugins like certificate patrol for Firefox that will tell you when a site you have visited before changes certificates or certificate authorities. Unfortunately this happens fairly frequently for legitimate reasons, such as when renewing certificates every year or few years.
Some certificate authorities are known or suspected to be working with various law enforcement entities to create false certificate for surveillance.
Here is how it works:
The government has certificate authority create a new certificate for a website.
The government then intercepts all sessions to that site with a server (at national level routers for example).
The server uses real site certificate to communicate with the real website securely.
The server uses the new fake certificate to communicate with user securely.
The server then has access to everything in the clear as it shuttles data between the two secure connections..
It can read and/or modify anything in the data stream.
Firefox is removing TeliaSonera’s certificate authority from the list in Firefox for this reason. Going forward no certificate issued by them will be recognized as valid. This will impact a large number of legitimate websites that have contracted with TeliaSonera, as well as preventing the fake certificates.
There is a lot of controversy about this. What is appropriate cooperation with law enforcement vs. supporting and enabling dictators.
In any case, this is a failure of the protocol. If the browser shows a certificate as valid when it has not come from the real website, then there has been a security failure.
The SSL key infrastructure is showing its age. It was “good enough” when there were only one or two certificate authorities and the certificates were not actually protecting anything of great importance. Now everyone relies heavily on the security of the web. Unfortunately, while it is broken, it is very hard to replace.
In the short term, installing a certificate checker like certificate patrol is probably a good idea, despite the number of false positives you will see.
In the longer term, there is a really hard problem to solve.
According to the Telegraph, the UK government is instituting a code of conduct for public WiFi which would require blocking of pornography to protect kids.
I see a couple of problems here.
1) Porn proliferates very quickly, so the blocking is likely to always be behind the curve, and kids are really good at getting around these kinds of blocks.
2) Some people will feel that things are allowed that should be blocked.
3) Inevitably legitimate websites will be blocked. A common example is breast feeding web sties, which frequently get caught in these kinds of nets.
4) Implementing this requires active monitoring of the activity on the WiFi which generally enables other kinds of surveillance.
Most home networks don’t have filtering on the whole network, so kids at home would be exposed to raw Internet. The standard is generally to filter at the end device. It seems to me that would be the best option here.
Parents could choose exactly the blocking technology and philosophy they want to have applied, and it does not impact anyone else.