Mozilla cites Mauritius’ sniffing bid to dispute controversial web certificates 

Mozilla has stepped up its efforts to dissuade EU lawmakers from forcing web browsers to recognize the validity of contentious web certificates created by the bloc.

In its campaign, Mozilla cited large-scale snooping campaign by Mauritius as an example of the activity the regulation could enable.

The non-profit architect of the Firefox browser has launched a campaign urging Members of the European Parliament (MEPs) to amend proposals tabled by the European Commission (EC) that would oblige browsers to accept Qualified Website Authentication Certificates (QWACs).

The EU created QWACs in 2014 to validate a website’s professed identity and therefore – in theory – protect users from fraud, malware, and surveillance.

However, QWACs, which are based on somewhat discredited extended validation certificates, have failed to gain much of a foothold in the web ecosystem in the eight years since their introduction.

Mozilla argues that QWACs are inferior to the existing, longstanding web authentication ecosystem, and that the EC proposal would bypass “the critical first line of defense against cybercrime on the web”.

With MEPs expected to vote on the proposal in October, Mozilla launched a #SecurityRiskAhead campaign on July 13 with a carnival-style duck-fishing game pitched outside the European Parliament in Brussels.

Owen Bennett, Mozilla’s senior public policy manager for Europe, told The Daily Swig that Mozilla’s message appeared to be gaining traction.

The QWACs amendment – article 45.2 – was deleted from a recent draft report (PDF) for the EU’s digital identity framework in order to accommodate revisions, and various security-related amendments have already been tabled in parliament, he said.

The Internet Society, Electronic Frontier Foundation (EFF), and the world’s largest certificate authority, Let’s Encrypt, have also campaigned against the proposal.

Trusted system

The browser-led web authentication system in place sees certificated websites using the TLS-encrypted HTTPS protocol and displaying a padlock icon in the URL address bar to advertise their secure status.

Web – or SSL – certificates are currently issued by more than 100 certificate authorities (CAs), which are vetted by Mozilla and other leading browser makers, including Google, Microsoft, and Apple.

Critics of QWACs, which are issued by ‘Trust Service Providers’ (TSPs) approved by governments of EU member states, argue that they cannot draw on comparable technical expertise and resources. They can also point to the fact that hundreds of millions of web users happily submit payment card details online as evidence that the status quo is widely, and justifiably, trusted.

Mozilla CSO Marshall Erwin warned that if the well-intentioned EC proposal were “copied elsewhere, the regulation will give the tools to governments to carry out state-sponsored surveillance of internet traffic”.

Mozilla cited large-scale snooping campaigns by Iran’s theocracy in 2011 and the governments of Kazakhstan and Mauritius in 2020 and 2021 respectively as examples of the activity the regulation could enable.

Last year, Maurius regulator Information and Communication Technologies Authority (ICTA) attempted to route all social media web traffic through government proxy servers, allowing it to be cached, searched, surveilled, and blocked.

Malicious hackers are often said to use a similar tactic, known as a “man in the middle” attack.

In Mauritius’ case, the attack would be open, permanent, and sanctioned by domestic law.

The Mauritian government justified the intrusion on its citizens because social media companies are not adequately responsive to their demands for content takedowns

It wanted a government-appointed body to do the blocking while also spying on every post, message, and search. 

During the 2019 general election, the state-owned Mauritius Broadcasting Corporation was accused of violating neutrality and impartiality requirements. Election results were challenged in nearly half of the country’s electoral districts.

After the elections in 2014, the outgoing prime minister was arrested, but all 11 criminal charges against him were struck out.

The authorities sought to arrest the director of public prosecutions, and when they failed due to the timely intervention of a Supreme Court judge, the government attempted to amend the constitution to provide for a Prosecution Commission that could overrule him.

Over the past year, elected Members of Parliament have been suspended on multiple occasions.

In 2018, the government amended the Information and Communication Technologies Act (ICTA) to criminalize messages that were “obscene, indecent, abusive, threatening, false or misleading” or were “likely to cause … annoyance, humiliation, inconvenience, distress or anxiety.”

Civil rights activists argue that the government has used this vague language to persecute its critics, arresting individuals for retweeting cartoons or video clips about politicians.

Last year, the state’s media authority also suspended the license of a popular private radio station, and an attempt at a second suspension following comments critical of the government’s foreign policy was stayed by the Supreme Court. 

A few weeks ago, the CEO of Mauritius Telecom, Sherry Singh resigned, alleging the Government had attempted to install sniffing equipment on the SAFE cable.

The government responded that it was simply a “state security survey”. A group of Indian technicians were flown into the country for the exercise.

With inputs from The Daily Swig, Slate.com and Future Tense.