Re: SSL/TLS everywhere fail from Constantine A. Murenin on 2015-12-03 (ietf-http-wg@w3.org from October to December 2015)

From: Constantine A. Murenin <cnst@NetBSD.org>
Date: Thu, 03 Dec 2015 04:17:48 -0800
To: ietf-http-wg@w3.org
CC: Willy Tarreau <w@1wt.eu>, Matthew Kerwin <matthew@kerwin.net.au>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, Poul-Henning Kamp <phk@phk.freebsd.dk>
Message-ID: <566032EC.6080605@NetBSD.org>
On 2015-12-02 22:31, Willy Tarreau wrote:
> On Thu, Dec 03, 2015 at 03:42:40PM +1000, Matthew Kerwin wrote:
>> On 3 December 2015 at 15:32, Martin J. Dürst <duerst@it.aoyama.ac.jp> wrote:
>>
>>> On 2015/12/03 08:18, Poul-Henning Kamp wrote:
>>>
>>>> That happened faster than even I thought:
>>>>
>>>>          http://telecom.kz/en/news/view/18729
>>>>
>>>
>>> It returns a 404 now, at least for me. Maybe they realized they didn't
>>> want the whole world to notice? Or it's just a local problem on my end?
>>>
>>> Regards,   Martin.
>>>
>>>
>> ???Looks like they took it down. The essence was: "To ensure the safety of
>> our citizens, all TLS connections will be terminated at the Kazakhstan
>> ???border, here is the government-provided root certificate you have to
>> install."
>
> Too bad I closed my browser window just before reading this e-mail, I could
> have copy-pasted it. Fortunately we have google cache, here's a copy of it
> before it expires. We'll have other opportunities to read such messages in
> the near future anyway.
>
> Willy
>
> ---
>
>    http://webcache.googleusercontent.com/search?q=cache:iNgneBgLnIUJ:telecom.kz/en/news/view/18729+&cd=2&hl=en&ct=clnk&gl=fr
>
>    "
>      Kazakhtelecom JSC notifies on introduction of National security certificate
>      from 1 January 2016
>
>      From 1 January 2016 pursuant to the Law of the Republic of Kazakhstan «On
>      communication» Committee on Communication, Informatization and Information,
>      Ministry for investments and development of the Republic of Kazakhstan
>      introduces the national security certificate for Internet users.
>
>      According to the Law telecom operators are obliged to perform traffic pass
>      with using protocols, that support coding using security certificate, except
>      traffic, coded by means of cryptographic information protection on the
>      territory of the Republic of Kazakhstan.
>
>      The national security certificate will secure protection of Kazakhstan users
>      when using coded access protocols to foreign Internet resources.
>
>      By words of Nurlan Meirmanov, Managing director on innovations of Kazakhtelecom
>      JSC, Internet users shall install national security certificate, which will be
>      available through Kazakhtelecom JSC internet resources. «User shall enter the
>      site www.telecom.kz and install this certificate following step by step
>      installation instructions"- underlined N.Meirmanov.
>
>      Kazakhtelecom JSC pays special attention that installation of security
>      certificate can be performed from each device of a subscriber, from which
>      Internet access will be performed (mobile telephones and tabs on base of
>      iOS/Android, PC and notebooks on base of Windows/MacOS).
>
>      Detailed instructions for installation of security certificate will be placed
>      in December 2015 on site www.telecom.kz.
>
>      PR department
>      Kazakhtelecom JSC
>
>      30.11.2015
> "
>


This is exactly what the "industry" has been asking all along.

You wanted all the web being encrypted?

	They're giving you encrypted!

Praising the deprecation of unencrypted HTTP?

	They've heard you, loud and clear!

Giving large warnings for self-signed certificates?

	OK, fine, we'll have our own CA, and'll import it for our users!

On a sidenote, isn't it a bit ironic how we've been building protocol 
and device interoperability and backwards compatibility for decades, 
only to now be told that a two-year-old phone is not supposed to be 
capable of accessing a public information resource website like ftc.gov, 
not because of extra life-saving features or a budget oversight, but 
purposefully because some zealots think that security buzz-words are 
more important than free information access by the means convenient to 
the public?

Here it is, the moment of zen:

% lynx -dump en.wikipedia.org

Looking up en.wikipedia.org
Making HTTP connection to en.wikipedia.org
Sending HTTP request.
HTTP request sent; waiting for response.
HTTP/1.1 301 TLS Redirect
Data transfer complete
HTTP/1.1 301 TLS Redirect
Using https://en.wikipedia.org/
Looking up en.wikipedia.org
Making HTTPS connection to en.wikipedia.org
SSL callback:certificate has expired, preverify_ok=0, ssl_okay=0
Retrying connection without TLS.
Looking up en.wikipedia.org
Making HTTPS connection to en.wikipedia.org
Alert!: Unable to make secure connection to remote host.

lynx: Can't access startfile http://en.wikipedia.org/
%

Where's backwards compatibility?

Where's a failsafe?

C.
Received on Thursday, 3 December 2015 12:20:29 UTC