I have raised a serious security issue in regards to browser trust behavior within countries who don't have specific set of laws and regulations yet, but using foreign SSL authorities to secure GOV (Government domains).
Those SSL Authorities are not legally incorporated within the territory and do not require to meet local regulations of citizen data protection.
Presenting connection as secure for services that Citizen use to fill tax reports, even sign up children to a Kindergarten is misleading and open up a privacy issue, since theoretically another country (of the issuer) may exploit the data in accordance with their local laws that might differ from local.
In personal opinion, no government service (.gov domain) of any country should be presented as Secure in any browser, unless certification body is legally incorporated at the territory.
There is a case study in regards to Republic of Serbia situation at: https://www.certic.info/serbiaitcapitulation.php i created minutes after discovering that the service used to transmit most sensitive data, (including personal ID keys) is secured by Comodo, who has no local legal incorporation and holds no liability.
For example, Serbian law requires any form of agreement to be written in the presence of 2 witnesses, therefore buying SSL from the web makes no legal ground for any action against issuer in case of abuse.
This is something that requires a strong debate within internet community, especially within countries affected.
The proposal on how to address this could be a condition that tld of the gov.* needs to match Country ISO code in the Subject section of the issuer in order to treat connection as secure.
This will, at least ensure local presence of legal entity and ensure country level policies are implemented.
Please discuss your opinion, the strength of impact and ideas on how to address this.
Share the Fun!
Sharing is caring, and sharing is easy! made it easy!
Stay up to date with latest toughts on