A message for Linux.com registered users: We are in the process of making changes to the Linux forums. Starting Monday, 8/13/18 at 6:00 PM PT, you will be unable to access the forums. They will re-launch as soon as possible on Wednesday, 8/15/18 with new features and improved functionality. Thank you for your patience and stay tuned for the new improved forums.

January 28, 2017

Goverment domains SSL Policy Oversight

I have raised a serious security issue in regards to browser trust behavior within countries who don't have specific set of laws and regulations yet, but using foreign SSL authorities to secure GOV (Government domains).

Those SSL Authorities are not legally incorporated within the territory and do not require to meet local regulations of citizen data protection.

Presenting connection as secure for services that Citizen use to fill tax reports, even sign up children to a Kindergarten is misleading and open up a privacy issue, since theoretically another country (of the issuer) may exploit the data in accordance with their local laws that might differ from local.

In personal opinion, no government service (.gov domain) of any country should be presented as Secure in any browser, unless certification body is legally incorporated at the territory. 

There is a case study in regards to Republic of Serbia situation at: https://www.certic.info/serbiaitcapitulation.php i created minutes after discovering that the service used to transmit most sensitive data, (including personal ID keys) is secured by Comodo, who has no local legal incorporation and holds no liability.

This is something that requires a strong debate within internet community, especially within countries affected.

Please share your opinion, the strength of impact and ideas on how to address this.

Click Here!