X

Mozilla takes hard stance on protecting Web site certificates

After telecom giant TeliaSonera allegedly allowed authoritarian governments to snoop on their citizens, Mozilla contemplates whether or not to issue it a new root certificate.

Dara Kerr Former senior reporter
Dara Kerr was a senior reporter for CNET covering the on-demand economy and tech culture. She grew up in Colorado, went to school in New York City and can never remember how to pronounce gif.
Dara Kerr
2 min read

It's happened to everyone -- you visit a Web site and instead of the browser taking you directly to it, you get a notice that says you're about to visit an untrusted site. The reason this happens is because the browser hasn't certified the site.

This type of action could mean a slow death for such a Web site, since messages like these tend to scare off users.

Mozilla, Firefox's parent company, is now contemplating whether to give international telecom giant TeliaSonera this type of punishment, according to the Register. Apparently Mozilla might refuse to include a new root certificate in Firefox's list of trusted Certificate Authorities for TeliaSonera and the Web sites of the dozens of companies the telecom giant either owns or partially owns.

What did TeliaSonera do to deserve this?

Allegedly, the telecom company allowed Eastern European and Central Asian governments -- specifically Azerbaijan, Kazakhstan, Georgia, Uzbekistan, and Tajikistan -- to eavesdrop on citizen's private Internet use. The way TeliaSonera supposedly let this happen was by issuing certificates to the governments that let them pose as legitimate Web sites and decrypt Web traffic, according to the Register.

"TeliaSonera's roots are a topic of active and public discussion in the Mozilla community," a Mozilla spokesperson told CNET. "We have not reached a decision at this time. The decision to trust a certificate authority in Mozilla products is one we make very carefully. Each authority is publicly vetted before inclusion, and is required to provide regular, public audits of policy compliance once included."

A spokesperson for TeliaSonera told the Register that it has a "clean record" and like "all operators" of Web sites, it respects government requests for "lawful interception" of sites.

According to Information Week Security, a TeliaSonera senior public relations manager, Irene Krohn, said last month that the company only allows for interception surveillance services when the law in each country calls for it.

"The governments and security services of all countries in the world have the legal right to request information from operators and monitor network traffic for the purpose of fighting crime," Krohn said. "This is happening every day in all countries and applies to all operators. We are obliged to comply with the legislation of each country."

While it's unclear what Mozilla will do, it does show that the company is looking at how Web site operators are working with authoritarian governments.

CNET contacted TeliaSonera for comment. We'll update the story when we get more information.

Updated at 6:05 p.m. PT with comment from Mozilla spokesperson.