Mozilla is considering distrusting the Dutch government’s Certificate Authority due to concerns over the country’s new security laws which grants security services broad powers it intercept and read encrypted messages. And with the UK government continue to push for restrictions on encryption, the battle between Mozilla and the Dutch government could be a prelude to a similar fight here. Kevin Bocek, Chief Cyber-Security Strategist at Encryption Experts Venafi commented below.
Kevin Bocek, Chief Cyber-Security Strategist at Venafi:
“In a huge twist of irony the Dutch government is joining the march to turn back privacy and join China and Russia in destroying the power of encryption for good. The Netherlands is considering new powers that would enable its state run issuer of machine identities to mint fake digital certificates. These certificates could be used for any machine in the world, from Google to Amazon, not just the Dutch government, so there is wide scope for misuse.
It’s ironic since the Netherlands was sent back to pencil and paper in 2011 when it’s official machine identity issuer – DigiNotar – was breached and used to aid Iran to trick and intercept private communications. DigiNotar issued fake certificates for Google, Microsoft, Skype and over 500 other machines and was subsequently bankrupted trying to clean up the mess. So you would think they’d know better.
Mozilla is leading the way here and, if the Dutch government doesn’t back down, other browsers should strongly consider following their lead and distrusting certificates provided by the Dutch government. Any CA that issues digital certificates for machines it hasn’t obtained authorisation for is a threat to privacy, and national security. It’s why Google and Mozilla have distrusted Chinese issuers such as CNNIC and WoSign, and why the US government demanded Apple, Microsoft, and Google respond. It may surprise many that our computers and mobile devices trust hundreds of CAs from around the world, including the US Department of Defense.
This is one more reason why businesses must be aware of digital certificates used maliciously. Technologies like Certificate Transparency and Certificate Reputation provide intelligence on what anyone from phishers to governments may be doing. Whether it’s thousands of phishing sites set up with legitimate machine identities or a government issuing certificates to intercept and break encryption, businesses can’t sit back on the sidelines and wait.
Hopefully the Dutch government will reconsider its actions and not break the system of trust behind privacy and commerce across the Internet. Unfortunately, this is a reminder of why the cryptowars were never really over. From the UK’s RIPA in 2001 to the Chinese cybersecurity law of 2017, governments are seeking to control the power of encryption.”