Issue metadata
Sign in to add a comment
|
Government domains SSL Policy Oversight
Reported by
stefan@certic.info,
Jan 28 2017
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36 Steps to reproduce the problem: 1. GoTo https://www.euprava.gov.rs (service to fill tax reports, get personal documents etc..) 2. Browser will reports Secure Connection 3. In fact this is misleading, as GB Law differs from Serbian. 4. No .gov website secured by a foreign SSL issuer that is not legally incorporated in the country (therefore not liable) should be able to display secure connection. It is not. What is the expected behavior? No Browser should report secure connection under this specific circumstances. CA/Browser forum is slow, and someone needs to push this into discussion. What went wrong? I have raised a serious security issue in regards to browser trust behavior within countries who don't have specific set of laws and regulations yet, but using foreign SSL authorities to secure GOV (Government domains). Those SSL Authorities are not legally incorporated within the territory and do not require to meet local regulations of citizen data protection. Presenting connection as secure for services that Citizen use to fill tax reports, even sign up children to a Kindergarten is misleading and open up a privacy issue, since theoretically another country (of the issuer) may exploit the data in accordance with their local laws that might differ from local. In personal opinion, no government service (.gov domain) of any country should be presented as Secure in any browser, unless certification body is legally incorporated at the territory. There is a case study in regards to Republic of Serbia situation at: https://www.certic.info/serbiaitcapitulation.php i created minutes after discovering that the service used to transmit most sensitive data, (including personal ID keys) is secured by Comodo, who has no local legal incorporation and holds no liability. For example, Serbian law requires any form of agreement to be written in the presence of 2 witnesses, therefore buying SSL from the web makes no legal ground for any action against issuer in case of abuse. This is something that requires a strong debate within internet community, especially within countries affected. Please discuss your opinion, the strength of impact and ideas on how to address this. Did this work before? No Chrome version: 55.0.2883.95 Channel: n/a OS Version: OS X 10.12.3 Flash Version: Shockwave Flash 24.0 r0 This is tricky, and probably affect large population.
,
Jan 29 2017
Proposal: Issuer Name Country of the certificate should match the national domain ending for *.gov.* domains. Hope It helps, Stefan
,
Jan 29 2017
Browser Behavior Proposal: Warning message should not necessarily raise an connection insecure warning. Instead it may present a warning that Issuer legal obligations might differs from local law regulations making a connection potentially Insecure. (or similar)
,
Jan 29 2017
Marking WontFix. This is a request to restrict the set of CAs for specific domains, which is something the domain holder can express (via HTTP Public Key Pinning). Beyond that, we are not supportive of introducing additional requirements related to the legal establishment of the CA above/beyond what's already present in the Baseline Requirements. You are free to submit your questions to questions@cabforum.org for CA/Browser Forum discussion, but at present, Chrome does not support any of the proposals put forward.
,
Jan 29 2017
Obviously you did not read it carefully. This is not specific for specific domains, this is specific to all .gov.* domains of any country. This is submitted to CA/b, and it will take a year for any change to even be considered (assuming someone read carefully). It's a matter of impact on internet community privacy. Anyhow, if you think different, cool - let it be WontFix. The Domain Owner do not want to do that - and the point here is to warn users that their connection is actually not secure. Not going to argue, but suggest to read again and re-think twice. |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by dominickn@chromium.org
, Jan 29 2017Owner: rsleevi@chromium.org
Status: Assigned (was: Unconfirmed)