The Netherlands is introducing new security Laws in January 2018 authorising new powers for the dutch intelligence and security services including meta-data retention and interception powers, causing Mozilla to potentially exclude the country's certificate authority from its trust list.
On its website, Mozilla says that, regarding national security requirements, its policy, which it practices, is that companies should limit data collection to what is needed, make data anonymous where possible and delete data when it's no longer necessary.
There are concerns that SSL proxying cold be abused to enable interception hence a proposal that the national CA should be taken off Firefox's automatic trust list. Consequently Mozilla concludes it should revoke trust for Staat der Nederlanden CA (certificate authority) as, “Allowing the Ministry of Interior and Kingdom Relations to continue operating a trusted CA in a country hosting a major Internet transit point would be detrimental to the security of all Mozilla users."
Also on the Mozilla site, the organisation reports that this revision of the law will authorise intelligence and security to intercept and analyse cable-bound (Internet) traffic, and will include far-reaching authorisations, including covert technical attacks, to facilitate their access to encrypted traffic. Article 45 1.b, explicitly authorises the use of "false keys" in third party systems to obtain access to systems and data.
As The Netherlands is a major transit point for services into and out of Europe, the implications extend outside the country.
The new "Wet op de inlichtingen- en veiligheidsdiensten (Wiv)" (Law for intelligence and security services) has been accepted by the Dutch Government. The certificate authority of the Staat der Nederlanden is operated by The Netherlands' General Intelligence and Security Service (AIVD), hence Mozzila's contention that it should not be trusted.
In an email so SC Media UK, Kevin Bocek, chief cyber-security strategist at Venafi articlates industry concerns that this could be the thin end of the wedge for government subversion of trust in the Internet. “In a huge twist of irony the Dutch government is joining the march to turn back privacy and join China and Russia in destroying the power of encryption for good. The Netherlands is considering new powers that would enable its state run issuer of machine identities to mint fake digital certificates. These certificates could be used for any machine in the world, from Google to Amazon, not just the Dutch government, so there is wide scope for misuse.
“It's ironic since the Netherlands was sent back to pencil and paper in 2011 when it's official machine identity issuer – DigiNotar – was breached and used to aid Iran to trick and intercept private communications. DigiNotar issued fake certificates for Google, Microsoft, Skype and over 500 other machines and was subsequently bankrupted trying to clean up the mess. So you would think they'd know better.
“Mozilla is leading the way here and, if the Dutch government doesn't back down, other browsers should strongly consider following their lead and distrusting certificates provided by the Dutch government. Any CA that issues digital certificates for machines it hasn't obtained authorisation for is a threat to privacy, and national security. It's why Google and Mozilla have distrusted Chinese issuers such as CNNIC and WoSign, and why the US government demanded Apple, Microsoft, and Google respond. It may surprise many that our computers and mobile devices trust hundreds of CAs from around the world, including the US Department of Defense.
“This is one more reason why businesses must be aware of digital certificates used maliciously. Technologies like Certificate Transparency and Certificate Reputation provide intelligence on what anyone from phishers to governments may be doing. Whether it's thousands of phishing sites set up with legitimate machine identities or a government issuing certificates to intercept and break encryption, businesses can't sit back on the sidelines and wait.
“Hopefully the Dutch government will reconsider its actions and not break the system of trust behind privacy and commerce across the Internet. Unfortunately, this is a reminder of why the cryptowars were never really over. From the UK's RIPA in 2001 to the Chinese cyber-security law of 2017, governments are seeking to control the power of encryption.”