www.gov.mu -- Is it safe enough? Doubtful! Then #NoToBiometricIDCard

The topic was tossed several times last year. Beginning 2014 it was again brought up when we discussed the .mu domain. Yes, I'm talking about DNSSEC. If I go through my emails I can still pull out a whole discussion that went lengthy on the Mauritius Internet Users mailing list. Unfortunately, at some point discussion stops & the topic goes dormant.

The past few days however, a whole different picture cropped up while serious discussions started over security issues surrounding the new Identity Card, as I met several people from various fields.

I would like to highlight that I am NOT against a new & modern Identity Card. Hey! But wait, modern doesn't mean just sell us anything. The new ID Card boasts a lot about security stuffs. I read the Prime Minister's speech (during the Official Launching of the new Mauritius National Identity Card) from Year 2013 archives available on the Government Portal. Below is an excerpt that highlights something about security.

My Government has a vision to continue to innovate and embrace technology in a proactive and safe manner where security, data protection and civil liberties are at the heart of our considerations.

Let's take each into consideration.

Security

We should start with what we see first. The new ID Card will facilitate communication & sharing of information across various government & private agencies. Citizens should be able to log in the Government Portal and effect transactions. What's the Government Portal URL? You should know it by now. Yes it's www.gov.mu. Let's look at its anatomy.

gov-mu_anatomy

The Goverment Portal URL can be broken into three parts; the Country Code Top Level Domain which is mu, the Government domain which is gov, and a sub-domain which in this case is www.

Now, let's see what is DNSSEC and then we'll come back to the Government Portal. I'll take extracts from the ICANN website with slight modification to simplify it.

Vulnerabilities in the DNS (Domain Name System) were discovered that allow an attacker to hijack the process of looking up a website on the Internet using its domain name. The purpose of the attack is to take control of the session to, for example, send the user to the hijacker's own deceptive web site for account and password collection. How to prevent this? DNSSEC is a technology that was developed to, among other things, protect against such attacks by digitally ‘signing’ data so you can be assured it is valid. It must be deployed at each step in the lookup from top-level domain to final domain name (from mu through gov till www). Signing the root zone (top-level domain), that is deploying DNSSEC, is a necessary step in this overall process. This process does not encrypt data. It just attests to the validity of the address of the site you visit.

gov-mu_dnsses

As we understood to prevent ourselves from one day going on a fake www.gov.mu website, DNSSEC must be deployed on the root zone, which is the top-level domain mu and the signing process continued till the full domain is signed. Question: Is the Mauritian Government Portal safe from such vulnerabilities? Nope! We can test the same using an online tool provided by VeriSign Labs and let's compare with other government portals.

gov-mu-dnssec-result

Oops! The results show we might not be as safe as we thought.

gov-uk-dnssec-result
usa-gov-dnssec-result

UK & USA look less vulnerable.

Aww! Does that mean someone could hijack www.gov.mu, obtain my login credentials and effect a transaction that I'll be unaware of? Officials could debunk this as far-fetched. Sorry boss, nothing is far-fetched when you have a bank of data that contains biometric information of more than 900,000 citizens.

In my quest to know procedures of alerting concerned authorities about vulnerabilities, I recently visited CERT-MU (website for the National Computer Security Incident Response Team). The mere instructions & sight of the Vulnerability Reporting process made me #facepalm.

cert-mu-reporting-form

Above screenshot taken from CERT-MU website

Sorry, I do not use Internet Explorer. Besides the Vulnerability Reporting form is designed using some proprietary software. The form doesn't work on Linux. Acrobat Reader is no more available on Linux & the form doesn't work with alternative PDF readers. Please, don't bother telling me to use Microsoft Windows alongwith an Antivirus. I prefer everyone using Linux at my place. My mom isn't as cautious as me when she surfs Internet. If a window pops up telling her she has won $ 1,000,000 in lottery, she WILL CLICK it (^^,) ...

I stopped right there. Searching anything else would make me hate the website even more.

Data Protection

A lot happened the last two weeks. L'Express & Le Mauricien covered the stories that highlighted privacy concerns. Should I get in touch with the Data Protection Office in that matter? Maybe. Things are happening new, learning procedures along the way & discovering stuffs that makes me #facepalm at almost every step.

Civil Liberties

Not really my cup of tea, oops, coffee I mean. I'll leave this part to the Human Rights activists. However, I do feel my rights being ripped by compelling me into giving fingerprints & a biometric photo to get a new Identity Card, all while security isn't yet the top-priority.


So far, for every problem we have in the country, be it traffic congestion, leaking pipes or new ID Card, Mauritian Government is looking for solutions around the world. Folks, you have traveled enough. Take a deep breath, relax and meditate. Invest in your human resources & maybe in the next few years Mauritius will be exporting technology instead of buying.

Lastly, an open letter to whom it may concern.

Dear Government,   I trust you're well.   Radio everyday broadcasts campaigns to get the New ID Card before 15 September 2014 in order to avoid last minute queues. However, I have issues regarding the matter.   I want my New ID Card before 15 September too, but unfortunately according to information published on the MNIC website and elsewhere, it looks like the authorities won't give me a new ID Card without my fingerprint and biometric photo. People speak of fine & imprisonment. This is scary. I trust you're not going to jail anyone for refusing to give his/her fingerprint.   No. The biometric information doesn't guarantee safety from identity theft. Let's not argue on that.   I am born a Mauritian & I believe I have the right to a new ID Card without giving information that has nothing to do with an Identity Card.   I hope you respect my civil liberties and thank you for understanding.   Sincerely,   A Mauritian   PS: http://gov.mu is broken since years. It resolves to nothing. Some browsers redirect to http://www.gov.mu after a long wait but that's annoying. Citizens of Mauritius would be grateful it you could fix it please.

Share this post