

How Microsoft helps repressive governments like in Tunisia - rei_toei

Recent days have revealed that Tunisia government was stealing username and password of users of common web sites in Tunisia (such as Facebook) via injection of JavaScript to non-secure pages.<p>But the problems in the country go much deeper than that.  Tunisia has its own certificate authority[1] and since 2007 the root certificate has been included in Microsoft Internet Explorer[2].  This certificate is not included in common other browsers like Safari or Firefox.  If you visit [1] from one of those browsers you will see a certificate error.<p>Microsoft has been helping government like Tunisia repress its people because they do not audit these government controlled certificate authorities and they do not restrict the TLDs that the certificate can sign.<p>In Microsoft Root Certificate Program there is a special exception for Government entities[3].  So any government can certify to Microsoft that it is trustworthy with a simple statement:<p>"Increasingly national and regional governments are establishing Certification Authorities intended primarily for government to government or citizen to government (e-government) transactions. These government CAs may be actual government entities, or private parties operating according to a government Certification Practice Statement (“CPS”). Government CAs must meet all the General and Technical Requirements for inclusion in the Program with the exception of audit. Microsoft may accept the following audit equivalency from government CAs.<p>Audit equivalency – for government CAs who issue certificates to secure government to government or citizen to government transactions, Microsoft will accept a statement from a government or private party auditor attesting to the CA’s audit status, giving the name of and reference to their audit guidelines, the date of the last audit, and equivalence of their audit criteria to the Operating Standards (e.g. WebTrust For CAs, ETSI TS 102 042, ETSI 101 456, ISO 21188)."<p>The certificate used by government of Tunisia is not restricted to .TN domains. Here is the certificate:<p><pre><code>  Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=TN, O=ANCE, OU=ANCE WEB, CN=Agence Nationale de Certification Electronique/emailAddress=ance@certification.tn
        Validity
            Not Before: Aug 21 09:58:14 2002 GMT
            Not After : Aug 12 09:58:14 2037 GMT
        Subject: C=TN, O=ANCE, OU=ANCE WEB, CN=Agence Nationale de Certification Electronique/emailAddress=ance@certification.tn
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                        00:bb:c1:13:b7:08:29:19:71:9e:14:17:43:fb:28:
                    70:52:85:72:8d:c1:54:04:ad:c0:9e:ac:3b:6a:80:
                    10:fa:81:81:c0:e2:8b:78:ff:eb:02:68:77:33:be:
                    b3:b3:70:82:31:06:f4:a8:d6:74:39:dd:de:0c:7d:
                    51:10:1b:83:73:ab:de:73:40:62:b1:be:49:24:4f:
                    8c:f9:7b:36:0f:6f:18:ae:c1:15:1e:b1:17:ca:9b:
                    82:dc:56:c5:66:92:d9:ac:88:14:f3:70:37:dc:61:
                    eb:5e:0d:db:59:d9:04:59:83:9a:94:93:c5:a4:d4:
                    90:45:46:0d:2d:89:34:b1:29:19:45:59:88:8d:c4:
                    cf:67:02:c9:d8:e6:ba:9e:44:aa:c2:a4:7c:93:45:
                    b1:a0:7e:78:c0:69:fc:8b:89:4e:af:40:e9:85:d6:
                    e5:86:a3:3f:7c:ba:99:90:ac:e7:4a:d0:16:e7:90:
                    4e:34:f1:d0:27:df:35:ae:84:f7:4c:2e:40:b3:19:
                    58:95:f5:72:78:54:a0:76:11:57:d3:0d:87:f0:1c:
                    37:45:8a:d2:d5:dc:66:0f:5d:9e:06:28:b6:80:35:
                    7b:b5:68:1d:3f:52:63:54:04:6e:30:37:14:8f:68:
                    02:bf:b7:f1:50:ef:0a:77:65:51:dd:a7:40:61:68:
                    67:eb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                9E:C1:0D:33:49:79:AB:B3:B1:93:06:60:33:A9:6A:44:F4:B0:83:33
            X509v3 Authority Key Identifier: 
                keyid:9E:C1:0D:33:49:79:AB:B3:B1:93:06:60:33:A9:6A:44:F4:B0:83:33
                DirName:/C=TN/O=ANCE/OU=ANCE WEB/CN=Agence Nationale de Certification Electronique/emailAddress=ance@certification.tn
                serial:00

            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
            X509v3 Subject Alternative Name: 
                email:ance@certification.tn
            X509v3 Issuer Alternative Name: 
                email:ance@certification.tn
            Netscape Cert Type: 
                SSL CA, S/MIME CA, Object Signing CA
            X509v3 CRL Distribution Points: 
                URI:https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl

            Netscape CA Revocation Url: 
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl
            Netscape Revocation Url: 
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl
    Signature Algorithm: md5WithRSAEncryption
        3e:27:16:1b:2b:94:5c:be:90:60:84:6f:4b:5f:5d:5c:e6:bd:
        20:c3:c7:44:72:46:6f:80:db:f5:e3:f9:57:52:6a:c9:ca:83:
        22:4d:c2:61:bf:0d:02:ce:81:ed:bc:1a:a5:e8:a6:97:8b:dc:
        20:89:54:d8:0c:d4:f4:94:fe:3d:00:9f:2d:33:be:59:d5:36:
        cc:49:04:87:d3:42:b8:77:7a:65:94:9f:e5:75:87:c8:1c:6c:
        38:33:c7:84:93:b9:37:0c:b9:d1:ed:00:d8:11:d8:1e:54:6a:
        df:be:6a:7a:42:32:87:4a:8e:4a:0d:f6:7d:a0:91:7b:9a:0f:
        8d:80:72:ba:6c:a1:17:8e:bc:02:d0:56:7e:cb:e6:7f:fa:1c:
        5e:96:cd:cb:d2:a2:f8:30:8f:e7:6c:8b:d5:bd:20:cd:84:6d:
        f9:24:6d:36:c4:57:4d:ec:11:3f:7e:ea:e1:7c:50:5f:0c:ec:
        96:0a:93:66:27:b5:92:d5:9f:57:ee:f3:7a:fc:1f:ae:c9:17:
        98:40:67:f3:fe:74:12:ce:ea:b6:fd:a3:86:b5:86:a1:14:88:
        8c:2e:d2:86:d1:e8:48:e7:d6:6c:3a:b9:b1:0c:d2:3f:50:2c:
        b0:cb:b8:bf:8e:3d:3e:63:4f:a0:2f:90:e6:eb:b3:6f:f9:d9:
        9a:47:69:47
</code></pre>
X.509 standard contains a provision for restricting the names that the certificate may be used to sign[4].  These are not in the Tunisia certificate and Microsoft does not require this.  So, Tunisia certificate can sign .com domains and so a man-in-the-middle attack like in UAE[5] is possible in Tunisia.  It would be easy for Tunisian government to be intercepting SSL connections to Facebook etc.  See that Mozilla is thinking about such a restriction for root certificates[6].<p>Bottom line: Tunisia could claim to be Facebook if user is using Internet Explorer.  So could any other government.  Microsoft currently has certificates from China, Isreal, Turkey, HK, Macao[7] in the browser.  Also new certificates can be added any time.  Do no use Internet Explorer if you live in a country with a government you donot trust.<p>Also Microsoft turns blind eye to what government's do.  Why does Microsoft allow these certificates, but Safari, Chrome, Firefox do not.  Microsoft is good friend to bad government's.<p>[1] http://www.certification.tn/<p>[2] http://www.certification.tn/index.php?id=323<p>[3] http://technet.microsoft.com/en-us/library/cc751157.aspx#EGAA<p>[4] http://www.ietf.org/rfc/rfc3280.txt (see 4.2.1.11)<p>[5] http://www.schneier.com/blog/archives/2010/09/uae_man-
in-the-.html<p>[6] https://wiki.mozilla.org/CA:Problematic_Practices#Restrict_government_roots_to_their_TLDs<p>[7] http://download.microsoft.com/download/1/4/f/14f7067b-69d3-473a-ba5e-70d04aea5929/windows%20root%20certificate%20program%20members%20november%202009.pdf
======
pmjordan
While this is scary, Mac OS X and various browsers also ship with CA
certificates of questionable motivations, such as China's CNNIC.

It's scary not only for inhabitants of those countries, but also those
outside. The relatively frequent reports of BGP glitches routing arbitrary
traffic through places it shouldn't go don't fill me with confidence.

In this particular case, do we know if the Tunisian government actually _used_
this SSL MITM capability? Is there a reliable way to detect Internet Explorer
at the SSL negotiation stage? If not, users of other browsers will see the
"someone is trying to trick you" screen; you'd think that would be fairly
obvious.

