Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Hacker News | How Microsoft Helps Repressive Governments Like in Tunisia

Hacker News | How Microsoft Helps Repressive Governments Like in Tunisia

Ratings: (0)|Views: 1,421|Likes:
Published by fhimtcom

More info:

Published by: fhimtcom on Sep 04, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Hacker News
new|comments|ask| jobs|submitlogin How Microsoft helps repressive governments like in Tunisia
20 points by rei_toei 222 days ago | comments
Recent days have revealed that Tunisia government was stealing username and password of usersof common web sites in Tunisia (such as Facebook) via injection of JavaScript to non-secure pages.But the problems in the country go much deeper than that. Tunisia has its own certificateauthority[1] and since 2007 the root certificate has been included in Microsoft Internet Explorer[2].This certificate is not included in common other browsers like Safari or Firefox. If you visit [1] fromone of those browsers you will see a certificate error.Microsoft has been helping government like Tunisia repress its people because they do not auditthese government controlled certificate authorities and they do not restrict the TLDs that thecertificate can sign.In Microsoft Root Certificate Program there is a special exception for Government entities[3]. Soany government can certify to Microsoft that it is trustworthy with a simple statement:"Increasingly national and regional governments are establishing Certification Authorities intendedprimarily for government to government or citizen to government (e-government) transactions.These government CAs may be actual government entities, or private parties operating according toa government Certification Practice Statement (“CPS”). Government CAs must meet all the Generaland Technical Requirements for inclusion in the Program with the exception of audit. Microsoft mayaccept the following audit equivalency from government CAs.Audit equivalency – for government CAs who issue certificates to secure government to governmentor citizen to government transactions, Microsoft will accept a statement from a government orprivate party auditor attesting to the CA’s audit status, giving the name of and reference to theiraudit guidelines, the date of the last audit, and equivalence of their audit criteria to the OperatingStandards (e.g. WebTrust For CAs, ETSI TS 102 042, ETSI 101 456, ISO 21188)."The certificate used by government of Tunisia is not restricted to .TN domains. Here is thecertificate:
Certificate:Data:Version: 3 (0x2)Serial Number: 0 (0x0)Signature Algorithm: md5WithRSAEncryptionIssuer: C=TN, O=ANCE, OU=ANCE WEB, CN=Agence Nationale de CertificaValidityNot Before: Aug 21 09:58:14 2002 GMTNot After : Aug 12 09:58:14 2037 GMTSubject: C=TN, O=ANCE, OU=ANCE WEB, CN=Agence Nationale de CertificSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public Key: (2048 bit)Modulus (2048 bit):00:bb:c1:13:b7:08:29:19:71:9e:14:17:43:fb:28:70:52:85:72:8d:c1:54:04:ad:c0:9e:ac:3b:6a:80:10:fa:81:81:c0:e2:8b:78:ff:eb:02:68:77:33:be:b3:b3:70:82:31:06:f4:a8:d6:74:39:dd:de:0c:7d:51:10:1b:83:73:ab:de:73:40:62:b1:be:49:24:4f:8c:f9:7b:36:0f:6f:18:ae:c1:15:1e:b1:17:ca:9b:82:dc:56:c5:66:92:d9:ac:88:14:f3:70:37:dc:61:eb:5e:0d:db:59:d9:04:59:83:9a:94:93:c5:a4:d4:90:45:46:0d:2d:89:34:b1:29:19:45:59:88:8d:c4:cf:67:02:c9:d8:e6:ba:9e:44:aa:c2:a4:7c:93:45:b1:a0:7e:78:c0:69:fc:8b:89:4e:af:40:e9:85:d6:e5:86:a3:3f:7c:ba:99:90:ac:e7:4a:d0:16:e7:90:4e:34:f1:d0:27:df:35:ae:84:f7:4c:2e:40:b3:19:58:95:f5:72:78:54:a0:76:11:57:d3:0d:87:f0:1c:37:45:8a:d2:d5:dc:66:0f:5d:9e:06:28:b6:80:35: 
:::::::::e::::::02:bf:b7:f1:50:ef:0a:77:65:51:dd:a7:40:61:68:67:ebExponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints: criticalCA:TRUEX509v3 Subject Key Identifier:9E:C1:0D:33:49:79:AB:B3:B1:93:06:60:33:A9:6A:44:F4:B0:83:33X509v3 Authority Key Identifier:keyid:9E:C1:0D:33:49:79:AB:B3:B1:93:06:60:33:A9:6A:44:F4:B0DirName:/C=TN/O=ANCE/OU=ANCE WEB/CN=Agence Nationale de Cerserial:00X509v3 Key Usage:Digital Signature, Non Repudiation, Certificate Sign, CRL SX509v3 Subject Alternative Name:email:ance@certification.tnX509v3 Issuer Alternative Name:email:ance@certification.tnNetscape Cert Type:SSL CA, S/MIME CA, Object Signing CA X509v3 CRL Distribution Points:URI:https://www.certification.tn/cgi-bin/pub/crl/cacrl.crlNetscape CA Revocation Url:https://www.certification.tn/cgi-bin/pub/crl/cacrl.crlNetscape Revocation Url:https://www.certification.tn/cgi-bin/pub/crl/cacrl.crlSignature Algorithm: md5WithRSAEncryption3e:27:16:1b:2b:94:5c:be:90:60:84:6f:4b:5f:5d:5c:e6:bd:20:c3:c7:44:72:46:6f:80:db:f5:e3:f9:57:52:6a:c9:ca:83:22:4d:c2:61:bf:0d:02:ce:81:ed:bc:1a:a5:e8:a6:97:8b:dc:20:89:54:d8:0c:d4:f4:94:fe:3d:00:9f:2d:33:be:59:d5:36:cc:49:04:87:d3:42:b8:77:7a:65:94:9f:e5:75:87:c8:1c:6c:38:33:c7:84:93:b9:37:0c:b9:d1:ed:00:d8:11:d8:1e:54:6a:df:be:6a:7a:42:32:87:4a:8e:4a:0d:f6:7d:a0:91:7b:9a:0f:8d:80:72:ba:6c:a1:17:8e:bc:02:d0:56:7e:cb:e6:7f:fa:1c:5e:96:cd:cb:d2:a2:f8:30:8f:e7:6c:8b:d5:bd:20:cd:84:6d:f9:24:6d:36:c4:57:4d:ec:11:3f:7e:ea:e1:7c:50:5f:0c:ec:96:0a:93:66:27:b5:92:d5:9f:57:ee:f3:7a:fc:1f:ae:c9:17:98:40:67:f3:fe:74:12:ce:ea:b6:fd:a3:86:b5:86:a1:14:88:8c:2e:d2:86:d1:e8:48:e7:d6:6c:3a:b9:b1:0c:d2:3f:50:2c:b0:cb:b8:bf:8e:3d:3e:63:4f:a0:2f:90:e6:eb:b3:6f:f9:d9:9a:47:69:47
X.509 standard contains a provision for restricting the names that the certificate may be used tosign[4]. These are not in the Tunisia certificate and Microsoft does not require this. So, Tunisiacertificate can sign .com domains and so a man-in-the-middle attack like in UAE[5] is possible inTunisia. It would be easy for Tunisian government to be intercepting SSL connections to Facebooketc. See that Mozilla is thinking about such a restriction for root certificates[6].Bottom line: Tunisia could claim to be Facebook if user is using Internet Explorer. So could anyother government. Microsoft currently has certificates from China, Isreal, Turkey, HK, Macao[7] inthe browser. Also new certificates can be added any time. Do no use Internet Explorer if you live ina country with a government you donot trust.Also Microsoft turns blind eye to what government's do. Why does Microsoft allow these certificates,but Safari, Chrome, Firefox do not. Microsoft is good friend to bad government's.[1] http://www.certification.tn/[2] http://www.certification.tn/index.php?id=323[3] http://technet.microsoft.com/en-us/library/cc751157.aspx#EGAA

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->