From yakov@shaftek.biz Thu Dec 3 05:43:48 2015 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDBC01A879E for ; Thu, 3 Dec 2015 05:43:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.279 X-Spam-Level: X-Spam-Status: No, score=-1.279 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SNWZT8elDiQv for ; Thu, 3 Dec 2015 05:43:46 -0800 (PST) Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D8EB1A8794 for ; Thu, 3 Dec 2015 05:43:46 -0800 (PST) Received: by oiww189 with SMTP id w189so48705708oiw.3 for ; Thu, 03 Dec 2015 05:43:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shaftek-biz.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:content-type :content-transfer-encoding; bh=zjUx8jtRRPZfgXpHJFGCliOF3xzv2SxgwbO3WQThp28=; b=kmaDGlmJa+hCLrrNVF1LfBHnx8Q+8ureSPaTn1kaGmEFBCClbBHUnxeazYEXL3rMSC Yr8on+vhe5IdCe55fZy9SOt0C2q9Qd7gSk/gcdd99QKSnsE4yZe4E/mOy0p1hCTORUzV KfKqJ7uiQp70dVw7p1xKJGnAqplICTad1JpjUY6lxs+O9qiu3Ql6X0QjcyH0cwXSKMbZ 3YXtZ6H5wXTN5mwZhc5BYmdzn3B2lvGRttwjaVycptYZelLN81Igmq/HCSJ25SgtlXCN gl7PZvq4rbczjS7GgG7lZobdWUFvnUsaFz+7JFfnCsYoZfQeImIAMgesCN5fKi9L6OoR zDiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type:content-transfer-encoding; bh=zjUx8jtRRPZfgXpHJFGCliOF3xzv2SxgwbO3WQThp28=; b=K7lH/qgQ6tKBGvmDADnDAFhjaV9GDXr5GzbhvBG/sjQ67T8fLvQKephmKzkevRCbUl 02NhR691QgWpMVPVKXqljwXUyuneQkLAWAGoCuQ4eSWqpmLrLWMLEQ7945ae5eYX+bWC L+q4NfOboTwnOjKq5Aq1mscYeioMmSZSNopBaoS+W+4pfJb7TinUFcUiubRNGNAKMNHU 1S2KR+ueVu8Ann7nLSQJqFSFpwHJMX4VzEzslnzA2UQ+MFE1OKY4uWi5LRig6WBDVkuM a9+LEn2H5kGR8qHKJrLsN2AWrspPPHej+rSxvlHIQ7g7AF8CT2DMlDGtmJXbPWEuX+N+ JGTA== X-Gm-Message-State: ALoCoQltyYrN4/KesxFEB6yt2uJtqedU6/NpXu7pfXN5ZTj/cqE47fD/KvL1pwdnvXRyA5C4YhCl X-Received: by 10.202.205.146 with SMTP id d140mr7330731oig.1.1449150225865; Thu, 03 Dec 2015 05:43:45 -0800 (PST) MIME-Version: 1.0 Received: by 10.202.91.9 with HTTP; Thu, 3 Dec 2015 05:43:02 -0800 (PST) X-Originating-IP: [108.15.50.95] From: Yakov Shafranovich Date: Thu, 3 Dec 2015 08:43:02 -0500 Message-ID: To: perpass@ietf.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Subject: [perpass] Kazakhstan to MITM all SSL traffic on January 1st, 2016 X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2015 13:45:59 -0000 This is being done via a "national" SSL certificate. Original post has been taken down, archived version here: https://web.archive.org/web/20151202203337/http://telecom.kz/en/news/view/1= 8729 Hacker News: https://news.ycombinator.com/item?id=3D10663843 Text: ----- Kazakhtelecom JSC notifies on introduction of National security certificate from 1 January 2016 >From 1 January 2016 pursuant to the Law of the Republic of Kazakhstan =C2=ABOn communication=C2=BB Committee on Communication, Informatization an= d Information, Ministry for investments and development of the Republic of Kazakhstan introduces the national security certificate for Internet users. According to the Law telecom operators are obliged to perform traffic pass with using protocols, that support coding using security certificate, except traffic, coded by means of cryptographic information protection on the territory of the Republic of Kazakhstan. The national security certificate will secure protection of Kazakhstan users when using coded access protocols to foreign Internet resources. By words of Nurlan Meirmanov, Managing director on innovations of Kazakhtelecom JSC, Internet users shall install national security certificate, which will be available through Kazakhtelecom JSC internet resources. =C2=ABUser shall enter the site www.telecom.kz and install this certificate following step by step installation instructions=E2=80=9D- underlined N.Meirmanov. Kazakhtelecom JSC pays special attention that installation of security certificate can be performed from each device of a subscriber, from which Internet access will be performed (mobile telephones and tabs on base of iOS/Android, PC and notebooks on base of Windows/MacOS). Detailed instructions for installation of security certificate will be placed in December 2015 on site www.telecom.kz. PR department Kazakhtelecom JSC 30.11.2015 ----- From nobody Thu Dec 3 18:12:47 2015 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0B701ADEB6 for ; Thu, 3 Dec 2015 18:12:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.012 X-Spam-Level: X-Spam-Status: No, score=-1.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, SPF_HELO_PASS=-0.001, SPF_NEUTRAL=0.779, T_DKIM_INVALID=0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6LjVVoyAQr0 for ; Thu, 3 Dec 2015 18:12:44 -0800 (PST) Received: from biz104.inmotionhosting.com (biz104.inmotionhosting.com [173.247.246.237]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDAA11AD49F for ; Thu, 3 Dec 2015 18:12:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=standardstrack.com; s=default; h=To:References:Message-Id:Date:In-Reply-To:From:Subject:Mime-Version:Content-Type; bh=THL53kQfMMBGP1un4QlKcbFkyOmbm+bFYTtZMqh7IjM=; b=LsD2tJyrkTP/6VP6W9JLRkJFuQMzGGfX3IFQotuHPyeK8feeweUKXMkx5T4ZtLqn0StZkVj+PuYqB4qb0wcJrxLIKLZyE21V41ngQ7Q4AnscUSDRPdY8xdyOu2GDiWu4HhUK+S1Op9C9d788q6f9j7xamSChiADhvdiqM3n+3QA=; Received: from ip68-100-196-239.dc.dc.cox.net ([68.100.196.239]:58045 helo=[192.168.15.111]) by biz104.inmotionhosting.com with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.85) (envelope-from ) id 1a4frW-0007PE-EB for perpass@ietf.org; Thu, 03 Dec 2015 18:12:44 -0800 Content-Type: multipart/signed; boundary="Apple-Mail=_9590D2E0-BA3D-4FA8-9A96-82B772A64F3D"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) X-Pgp-Agent: GPGMail 2.6b2 From: Eric Burger In-Reply-To: Date: Thu, 3 Dec 2015 21:12:41 -0500 Message-Id: References: To: perpass@ietf.org X-Mailer: Apple Mail (2.3096.5) X-OutGoing-Spam-Status: No, score=-2.9 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - biz104.inmotionhosting.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - standardstrack.com X-Get-Message-Sender-Via: biz104.inmotionhosting.com: authenticated_id: eburger+standardstrack.com/only user confirmed/virtual account not confirmed Archived-At: Subject: Re: [perpass] Kazakhstan to MITM all SSL traffic on January 1st, 2016 X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2015 02:12:46 -0000 --Apple-Mail=_9590D2E0-BA3D-4FA8-9A96-82B772A64F3D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Government mandated front door for their citizens=E2=80=99 = =E2=80=9Cprotection.=E2=80=9D Is this the impetus to fix the root certificate problem? This = =E2=80=98solution=E2=80=99 is 100% IETF compatible and compliant (!). > On Dec 3, 2015, at 8:43 AM, Yakov Shafranovich = wrote: >=20 > This is being done via a "national" SSL certificate. >=20 > Original post has been taken down, archived version here: > = https://web.archive.org/web/20151202203337/http://telecom.kz/en/news/view/= 18729 >=20 > Hacker News: > https://news.ycombinator.com/item?id=3D10663843 >=20 > Text: > ----- > Kazakhtelecom JSC notifies on introduction of National security > certificate from 1 January 2016 >=20 >> =46rom 1 January 2016 pursuant to the Law of the Republic of = Kazakhstan > =C2=ABOn communication=C2=BB Committee on Communication, = Informatization and > Information, Ministry for investments and development of the Republic > of Kazakhstan introduces the national security certificate for > Internet users. >=20 > According to the Law telecom operators are obliged to perform traffic > pass with using protocols, that support coding using security > certificate, except traffic, coded by means of cryptographic > information protection on the territory of the Republic of Kazakhstan. >=20 > The national security certificate will secure protection of Kazakhstan > users when using coded access protocols to foreign Internet resources. >=20 > By words of Nurlan Meirmanov, Managing director on innovations of > Kazakhtelecom JSC, Internet users shall install national security > certificate, which will be available through Kazakhtelecom JSC > internet resources. =C2=ABUser shall enter the site www.telecom.kz and > install this certificate following step by step installation > instructions=E2=80=9D- underlined N.Meirmanov. >=20 > Kazakhtelecom JSC pays special attention that installation of security > certificate can be performed from each device of a subscriber, from > which Internet access will be performed (mobile telephones and tabs on > base of iOS/Android, PC and notebooks on base of Windows/MacOS). >=20 > Detailed instructions for installation of security certificate will be > placed in December 2015 on site www.telecom.kz. >=20 > PR department > Kazakhtelecom JSC >=20 > 30.11.2015 > ----- >=20 > _______________________________________________ > perpass mailing list > perpass@ietf.org > https://www.ietf.org/mailman/listinfo/perpass --Apple-Mail=_9590D2E0-BA3D-4FA8-9A96-82B772A64F3D Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWYPaZAAoJEORoZaSQsc1IHmAP/1X3PP8F+yNdkeHqoPFr9xzq ndaY0dxeZu1YlC2roEdiHFzA4KyD1fV4GuvJweTyPyb+8omU7Zj68tmW0r4SD5HI IsWOza6HSQtHLoGfVbZfzqD9Dk55N45IvvKbt4DMsVGU9DqzjCRJncsn7Mct9W7U bYixekxV6po/kDU2AzUcN+XffosyU5Kqumtm21LhTd31N4QHbuXexa7gfK9IaDRA jWQRJ3v30uNv5MpCssokklxV3Xd1Xv9hW5mf6KKm51On1spSvUagIwdWbk4K56KW MjyGJFxyMXf7Uxwa+EEUJJw0PCoGYpZ0f7bQPtXOuz66JQeM6uRNfYiXE/P4WPL4 DGamOgNzX0n/v8JczIGvdJlK5ZVIoXCwLaCurhRPSYhiE3FO1RfFkT3lephidIAv VWW8tdjzel8bn3O1jFRaaEXdv9UhuXFskDi3yaY/aeZeS8qbIYrXsh3RKuMhfX45 VO7epkIRUwjzkA7bdbLdO8R80o4ZwxhlkrbqDPJzkluO8OvUYdoYyEnGyyJBBIkO LwE6hP59jtiDRgarYY4ejtpsNMIbw4JX9KgwKm463H3h6Wq2PLzu0oDw5Gm1uCWt rLVaaTRkYU8go80DF8e5vKbsQ9AeI0eG7PZbNCuDP+5tbW3DrRGW/o5vWJX32nv0 Ay1wy1rkaL3j5bysR+4X =cz2j -----END PGP SIGNATURE----- --Apple-Mail=_9590D2E0-BA3D-4FA8-9A96-82B772A64F3D-- From nobody Fri Dec 4 09:18:40 2015 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABA491A8AE9 for ; Fri, 4 Dec 2015 09:18:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pBtSUMbCeDEK for ; Fri, 4 Dec 2015 09:18:37 -0800 (PST) Received: from mail-lb0-x22a.google.com (mail-lb0-x22a.google.com [IPv6:2a00:1450:4010:c04::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17ADA1A8ADF for ; Fri, 4 Dec 2015 09:18:34 -0800 (PST) Received: by lbbcs9 with SMTP id cs9so24325591lbb.1 for ; Fri, 04 Dec 2015 09:18:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnt-se.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7o9xTIqGhHJQR1esPkQYIX3ddBSrNA+hamnrBd4A57E=; b=rGF0kl2OH68xenTP1wjO+/+oXwh6YCxYxwxUvzbvnTK8lwVkGDMoTFctIXl5ulXwO+ i/Kvcu6HiJ31qnzelITr54ugpdwCoNP561vSdLiuX8cCoeBxA3m2QWrVzcvltOGi0AUc eWIVRrsSFXtEoYChm0EKXrfI/XVBf+8ByTem5WHWU5PyfZpenlFK5FlRZsVXKzyWJbRb u08fneAfDfFoKSZjvHu0asm8+iI5kZf3u8+3QPeB+rs7ReACcmtzUWQ8faXYPyN/k+Jw WnOTu8sRPdbLll7RNOCDK4/9sc/5qdkJcb9KCEC3DXZ05i+VD1ts+huGe2i2caKtlSEk Df7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=7o9xTIqGhHJQR1esPkQYIX3ddBSrNA+hamnrBd4A57E=; b=EDIV8zhblMrymv0CwzZ4DVD+EpHLOIE3L2JB/GrgdRd/CqnJaeRRkfizL7vqKDpiwR ObaF8omdxF4HNlUAzPomGYJn0DVcUp9hqvQ4fpTWq3POSQl32lDhcAfYur+M4i5qo2xO nSlreuW8Hc91Szuqfl0gnimRWt9a8J+26VbLHpd2HMjQpyd04DtnARSIEzA4IOqD+hHG i50e1/4GserCPxwkF973SYecjTmaj/tXuLFTTiGmaZeGPOhkZByoA0RpknKCefbHvj+L 68S3EgqLwg9OcWECHMXEh9gOqjNhgvxcRJEgSqExe1bR/S7K1Znq/XmghFMck+RE2yxv GIaQ== X-Gm-Message-State: ALoCoQnioUkKzlvpkfyfJ9NOgJq8uSp2HLJXshQYd8Eqd8XUrFqZ/H9AyJrBZgISzAZRPMUwPj4A X-Received: by 10.112.218.5 with SMTP id pc5mr8672957lbc.76.1449249512250; Fri, 04 Dec 2015 09:18:32 -0800 (PST) Received: from [172.28.100.214] (h-246-19.a137.corp.bahnhof.se. [5.150.246.19]) by smtp.gmail.com with ESMTPSA id 70sm2501259lfw.2.2015.12.04.09.18.31 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 04 Dec 2015 09:18:31 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) From: Leif Johansson X-Mailer: iPhone Mail (13B143) In-Reply-To: Date: Fri, 4 Dec 2015 18:18:30 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Yakov Shafranovich Archived-At: Cc: perpass@ietf.org Subject: Re: [perpass] Kazakhstan to MITM all SSL traffic on January 1st, 2016 X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2015 17:18:38 -0000 Skickat fr=C3=A5n min iPhone > 3 dec. 2015 kl. 14:43 skrev Yakov Shafranovich : >=20 > This is being done via a "national" SSL certificate. You must mean the 'plan to make terminations for benefit glorious nation of K= azakhstan'