Those Online Services are secured by US PKI Certification companies that are not even registered at the theritory of Serbia.
At the very moment i saw this, i needed a realty check first.
So what's the issue about?
US Agencies in cooperation with their companies may get a copy of certificate or signing requests at anytime and decrypt any tcp dumped communication.
Moreover, they can perform a 'Man in the middle' attacks in real time whenever they like! Now stepping forward, our goverment PAID to those companies in order to allow this!
In practice, this makes it easier for Serbian authorities to ask US authorities when they need forensics of what happened, then to examine alone. But this is not all.
If they CAN! examine on their own
They can, if foreign company that's not even registered in the country decide to be so nice to help them!
For me, this is a complete capitulation. The problem is, people are not to technically educated to be aware of that.
And what adds more humor, is that this is probably not done intentionally. It's due to lack of knowledge of people who should be the cream.
At least i would like to think so. Everything other then that, would mean treating us completly as a population of idiots.
Instead of using Comodo intermediate certificate, they should buy their own. Then use intermediate to issue certificates themself.
It will be trusted, but would not allow Comodo to decrypt SSL. Example: Russian Sputnik
They are using intermediate issued by US company, but they sign their website using their own certificate issued by intermediate.
This makes it impossible to use root certificate to decrypt something, signed by a certificate issued by intermediate but allows full verification.
What to do?
Since many countries may experience same problem due to lack of law and regulations, SSL Ca Browser Forum and Linux Foundation needs to work closely
and implement specific set of rules when it comes to appliance of the SSL issuer for .gov domains of any country that lacks laws and regulations.
In personal opinion, this would require at least that issuer is incorporated at the theritory of the goverment they secure - making it responsible
according to local laws due to a fact that it protects local citizen affairs. Internet community needs to be proactive in regards to this matter.
Goverments are slow and we can't wait for them to regulate this issue affecting our privacy in many ways. Strictly, no browser should treat https connection
as secure, unless the issuer is incorporated within the country in question.
UPDATE: To make it worst, Serbian Chamber of commerce has offered to provide all the necesery equipement and certificates to those institutions for FREE, but been refused with explanation they are not secure enough.
Share the Fun!
Sharing is caring, and sharing is easy! made it easy!
Stay up to date with latest toughts on