Tor users should be relieved to learn that the flaw found in Cyberoam’s deep packet inspection device has been fixed. The Tor Project publicized the flaw when they reported a user in Jordan “seeing a fake certificate for torproject.org.” In order to scan users’ connections, Cyberoam would direct the user’s browser to recognize Cyberoam’s trusted CA so that the browser can issue fake certificates for sites using HTTPS, like torproject.org. Although Tor considers that to be “the only legitimate way to” set up a DPI device, they discovered a problem with Cyberoam’s implementation. After some research, Tor learned that all Cyberoam Deep Packet Inspection (DPI) devices share the same CA certificate. Because all the devices used the same certificate–and therefore the same private key–it is possible to intercept data coming from one Cyberoam device by using another Cyberoam device. This flaw makes it possible for someone to intercept a Tor user’s connection if it relies on a fake Cyberoam certificate. This is precisely what happened to the user in Jordan. An anonymous user later divulged the private key in the comments section of Tor’s blog post on the matter.
Tor made this announcement one week ago, and Cyberoam reports that an over the air (OTA) hotfix was put into effect yesterday. According to Cyberoam:
[the fix] forcefully generated unique keys for all the remaining appliances. This means that every Cyberoam UTM appliance now has a unique CA thus protecting the customers even if the private key is exposed willfully or by accident.
Cyberoam, in their post, also alludes to feeling singled out by Tor. They recognize the “critical nature” of the situation, but resent the spotlight being placed on them as opposed to “other companies who also use a universal CA for [their] devices” as well.
Referring to these other companies that use default CA’s, Cyberoam states, “we think that the industry needs to react to this on an urgent basis so that a deeper crisis is averted.” Although Tor can provide some measure of anonymity and protection while browsing, this event highlights that are still risks of surveillance.
The Russian-language version of Wikipedia will be dark for 24 hours to protest a proposed law that would allow a government agency to blacklist websites containing pornography, drug advertisements or extremist ideas. The Duma, Russia’s parliament, is slated to review the controversial amendments to the country’s “Law on Information” for the second of three readings on Wednesday.
Supporters of the amendments — titled “On the protection of children from information harmful to their health and development” — say the federal register of banned websites will help stop the spread of pornography and extremist propaganda. Opponents argue the scope of the law is too vague, allowing the government too much latitude in determining what sites can be banned and opening the door to greater online censorship.
Under the law, websites “that contain pornography or drug references, or that promote suicide or other ‘extremist ideas,’ will face blacklisting.” Websites breaking the law will have 24 hours to remove objectionable content before Internet service providers are expected to shut down websites. Roskomnadzor, Russia’s federal communications regulator, will supervise the registry of banned websites, but a non-profit organization will monitor compliance with takedown requests. According to some media reports, courts and the security services can also add websites to the blacklist.
In response to this legislation, visitors to the Russian-language Wikipedia homepage are greeted by a message that reads (translated):
Imagine a world without free knowledge. The Duma will hold a second hearing on the introduction of amendments to the Law on Information, which could lead to the creation of extrajudicial censorship of all the Internet in Russia, such as shutting down access to Wikipedia in Russian. Today the Wikipedia community protests the introduction of censorship, which is dangerous to the free knowledge open to all mankind. We ask you for support in opposing this legislation.
In a linked page explaining its decision, Wikipedia further outlines its concerns that “these amendments could become the basis for real censorship of the Internet” by forming a “list of banned websites and IP addresses” that can subsequently be filtered.
Livejournal, which is Russia’s most popular blogging platform, remains operational, but also outlines its concerns regarding the law on its website:
In practice this means that a provider will be able to block a certain site on ministerial orders without a court’s judgment. We believe that the amendments to the law can lead to censorship in the Russian segment of the Internet, creating a blacklist, stop-lists and blocking certain sites. Unfortunately, the practice of law in Russia indicates a high probability of the worst-case scenario.
In January, the English-language version of Wikipedia and other websites like reddit instituted a similar blackout to protest anti-piracy legislation in the United States Congress.
Russia’s Internet (RuNet) is a growing source of independent information in a mass media environment dominated by state-owned television channels and few independent media sources. RuNet remains relatively free in comparison to the “Great Firewall” of neighboring China. Internet use is on the rise with 38 percent of Russians using the Internet daily, up from 22 percent two years ago. Over the past eight months, blogs and social media have been key to organizing massive street protests across Russia following the December 2011 Duma election. One of the key opposition figures to arise from the protests is a popular anti-corruption blogger, Alexei Navalny, who noted on his blog that this proposed legislation was an attempt by the Kremlin to win an ideological battle over the Internet.
Read a translation of the Russian amendments here (by Google Translate).
The United Nations’ Human Rights Council last week voted to protect people’s freedom of expression on the Internet. The council explained the rationale behind the resolution:
The exercise of human rights, in particular the right to freedom of expression, on the Internet is an issue of increasing interest and importance as the rapid pace of technological development enables individuals all over the world to use new information and communications technologies.
With this guiding the Council’s decision, they approved five provisos highlighting the importance of the Internet as a tool fostering freedom of expression. The resolution declares that “the same rights that people have offline must also be protected online”, and that all states must “promote and facilitate access to the Internet and international cooperation aimed at the development of media and information and communications facilities in all countries.”
While the measure was approved by a landslide, the National Post writes that “in speeches, both China and Cuba voiced reservations.” China, a country infamous for web filtering and censorship, tiptoed around the issue of free web browsing and the need for censorship. “We believe that the free flow of information on the Internet and the safe flow of information on the Internet are mutually dependent,” said Chinese delegation counselor Xia Jingge.
Cuba’s main reservation was not the need to regulate Internet usership, but that many countries have little or no web access to begin with. Cuban ambassador Juan Antonio Quintanilla remarked in a speech, “only 30 percent of the world population currently has access to this form of technology.”
Despite the few critical voices, many deem this a landmark vote for the UN. Swedish foreign minister Carl Bildt, writing in the New York Times, says this decision “demonstrated that maintaining the free flow of information on the Internet is a global call and not something pushed only by a few Western states.” Beyond the resounding multipartisan support, Blidt believes the resolution also emphasizes the importance of the Internet as a tool for economic growth and improving quality of life:
The vote in Geneva on Thursday was a breakthrough of fundamental importance. Beyond affirming that freedom of expression applies also to the Internet, the resolution also recognized the immense value the Internet has for global development and called on all states to facilitate and improve global access to it.
The next question for the United Nations is how to put this resolution into action. It is unclear whether countries will take any additional steps in light of the resolution. As many keep pointing out, this resolution is not enforceable. Thus, countries have no active obligation to improve online freedom of expression within their borders. Moreover, there has been movement in the opposite direction, with some democratic countries taking steps to filter public Internet use–mostly in reaction to public accessing of porn websites and to illegal sites like the Pirate Bay.
If countries do not take action, some see the onus for action in technology companies’ hands, as they are the ones who created “the tools that countries use to monitor and circumscribe their citizens on the Internet.” While others do not foresee tech companies taking responsibility for freedom of speech.
The Pew Institute recently performed a survey asking technology experts the following question: “How far will tech firms go in helping repressive regimes?” The results were split, highlighting the fine line between business imperatives maintaining the status quo, and the potential role consumer backlash could play if companies were exposed for complying with regimes’ requests.
While symbolically momentous, the future of this measure’s implementation, and its concomitant ramifications, remain uncertain.
