January 28, 2017

Goverment domains SSL Policy Oversight

I have raised a serious security issue in regards to browser trust behavior within countries who don't have specific set of laws and regulations yet, but using foreign SSL authorities to secure GOV (Government domains).

Those SSL Authorities are not legally incorporated within the territory and do not require to meet local regulations of citizen data protection.

Presenting connection as secure for services that Citizen use to fill tax reports, even sign up children to a Kindergarten is misleading and open up a privacy issue, since theoretically another country (of the issuer) may exploit the data in accordance with their local laws that might differ from local.

In personal opinion, no government service (.gov domain) of any country should be presented as Secure in any browser, unless certification body is legally incorporated at the territory. 

There is a case study in regards to Republic of Serbia situation at: https://www.certic.info/serbiaitcapitulation.php i created minutes after discovering that the service used to transmit most sensitive data, (including personal ID keys) is secured by Comodo, who has no local legal incorporation and holds no liability.

This is something that requires a strong debate within internet community, especially within countries affected.

Please share your opinion, the strength of impact and ideas on how to address this.

Click Here!