Thailand’s ICT Ministry has set up a committee to find a way to eavesdrop on SSL web encryption according to a newly leaked document by the Thai Netizen Network.
The committee was set up on 15 December by ICT Minister Group Captain Pornchai Rujiprapa.
The committee has three named individuals with military ranks alongside four representatives each from the National Intelligence Agency,Technology Crime Suppression Division, National Broadcasting and Telecommunications Commission, Ministry of Defence, Royal Thai Army Headquarters, Army, Navy, Air Force and four from the ICT Ministry itself.
It was TCSD commander Police Major-General Pisit Pao-in who last in August 2013 said that he was had access to LINE IM chat messages to check for undesirable content.
The committee’s task according to the document is to operate, test and evaluate a system to surveil SSL connections within a Thailand context.
The committee is to work with IIG providers and key industry individuals to test the online surveillance.
The wording of the letter suggests that they have such a system ready to evaluate.
Earlier on Thursday, one source contacted TelecomAsia with a tip-off that soon people can expect SSL errors connecting to Facebook. The source was a VPS operator using CAT’s IDC.
However, Thailand’s national root certificate authority CA) is operated by the Electronic Transactions Development Agency under the ICT Ministry. Two of the three commercial CAs that issue certificates are the state telcos CAT Telecom and TOT Corporation, both also under the control of the ICT Ministry.
It is unlikely that the Thai government has actually purchased equipment that can break SSL, but with rouge CAs it would be possible to issue a fake CA for, say, Facebook.com or YouTube.com and carry out a man-in-the-middle attack. The challenge would be to get the national root certificate installed on end user devices.
On 5 November, Pornchai announced that a locally made low-cost tablet would be made as part of the Digital Economy initiative
This is part of the same program that has now erupted into controversy over the cyber security bill and in particular how it removes the court’s role in authorising surveillance and gives it to a committee chaired by the Prime Minister.