23 votes

Kazakhstan ISPs begin intercepting all HTTPS traffic

7 comments

  1. Soptik
    (edited )
    Link
    This is not new, at least not this concept. I remember reading few months (or was it a year already) back about this in some mozilla channel, where someone feared this would happen and asked what...

    This is not new, at least not this concept. I remember reading few months (or was it a year already) back about this in some mozilla channel, where someone feared this would happen and asked what would be done. I'll try to find the thread.

    I wonder if this will even work on most devices. When I wanted to snoop on what an android application sends over network so I can reverse engineer it's API see content of the HTTP requests for research purposes, I had to take the API, swap one library to another much older version and than reinstall the whole apk, as it wouldn't accept my own certificate otherwise.

    On the other hand, the government probably don't care too much about handful of users that will see the invalid certificate warning for most websites, and will probably find a way to evade HTTP StrictTransportPolicy. This policy defines that site can only be accessed via https and with valid certificate.

    Edit: Here is the historical bugzilla thread. It was actually 4 years ago when this started.

    The measure is not yet in force but the Kazakhstan government has announced plans to require all KZ internet users to install a special "national security certificate" in their browsers, so that KZ Telecom can MITM the traffic. This also affects browsers and software other than Firefox.

    Edit 2: Here is Google Groups discussion (Mozilla Security), spanning from 2016 to now. It's interesting to see such an old thread revive like this.

    Edit 3: One of messages from Google Groups:

    Let's posit what might happen if Mozilla made their products intentionally
    break for this use case.

    Further, let's stipulate that every other major browser follows course and
    they all blacklist this or any other nation-state interception certificate,
    even if manually installed.

    Isn't the logical outcome that the nation-state forks one of the
    open-source browser projects, patches in their MiTM certificate, and
    un-does the blacklisting? I think that's exactly what would happen. The
    trouble is, there's no reason to expect that the fork will be maintained or
    updated as security issues are discovered and upstream patches are issued.
    We wind up with an infrequent release cycle browser being used by all these
    users, who in turn get no privacy AND get their machines rooted
    disproportionate to the global population.

    This looks very similar to the DragonFly project by Google. Do you comply with censorship/privacy loss in order to deliver better product to users, or do you object to it with knowledge that the censorship/privacy loss will not change dramatically and the users receive a lot worse service?

    Edit 4:
    Nurbo from HN said:

    A fellow from Kazakhstan here.
    Banning this certificate or at least warning the users against using it WILL help a lot.
    Each authoritarian regime is authoritarian in its own way. Kazakhstan doesn't have a very strong regime, especially since the first president resigned earlier this year. When people protest strongly against something, the government usually backs down. For example, a couple of years ago the government withdrew their plans of lending lands to foreign governments after backlash from ordinary people. If Kazakhs knew about the implications of installing this certificate, they would have been on the streets already.
    If Firefox, Chrome and/or Safari block this certificate, the people will show their dissatisfaction and the law will be revoked.
    Sometimes the people in authoritarian countries need a little bit of support from organizations to fight for their rights. I really hope the browser organizations would help us here.

    Edit 5:
    Dmbaturin from lobste.rs translated official KZ website

    Due to increasingly frequent cases of personal information theft and bank account hijacking, we are introducing a security certificate that will become an efficient way to protect the country from hackers, scammers, and other cyberthreats.

    Deployment of the security certificate will help us protect your data and stop attacks befoore they succeed.

    The security certificate is a set of digital data that is required for encrypted protocols to wrk. It will help protect the Kazakh people from attacks and illegal content.

    You should install the certificate on every device connected to the Internet, else there will be technical difficulties with accessing particular resources.

    This is terrifying. And it’ll work, since people won’t be able to access internet otherwise (see zdnet article linked below in the OT comment). This is the case where mozilla, google, and other organizations have to come forward and say No!. According to the KZ citizen from HN, people can force the government to abort this if given a reason. Every major sw they use rejecting the certificate might be the reason they need.

    6 votes
  2. ainar-g
    Link
    “Coming Soon To An Oppressive Government Near You!” I have a feeling that Belarus or Russia will be the next ones. Reiterating my point from a few months ago, y'all Western developers will soon...

    “Coming Soon To An Oppressive Government Near You!”

    I have a feeling that Belarus or Russia will be the next ones. Reiterating my point from a few months ago, y'all Western developers will soon get a lot of new Russian-speaking colleagues.

    Súka bliatj.

    2 votes
  3. [2]
    Soptik
    Link
    Offtopic: Maybe it might be good idea to switch link to zdnet. It’s concerning that internet access is blocked when people don’t install the certificate. How does one evade this? Proxy over :80...

    Offtopic: Maybe it might be good idea to switch link to zdnet.

    It’s concerning that internet access is blocked when people don’t install the certificate. How does one evade this? Proxy over :80 and hope for the best? Tor via not-443?

    2 votes
    1. cfabbro
      Link Parent
      ~comp is supposed to be for stuff on the more technical side, so I think the bugzilla report is appropriate here. I do appreciate the added context of the zdnet article though, so thanks for...

      ~comp is supposed to be for stuff on the more technical side, so I think the bugzilla report is appropriate here. I do appreciate the added context of the zdnet article though, so thanks for linking it.

      p.s. The zdnet article would probably be a good submission for ~tech IMO, if you want to submit it there.

      2 votes
  4. [3]
    dont-tread-on-me
    Link
    Can someone ELI5 this for me? I’m a bit confused about the greater context of this.

    Can someone ELI5 this for me? I’m a bit confused about the greater context of this.

    1 vote
    1. [2]
      Bauke
      Link Parent
      The ZDNet article @Soptik linked explains it in a pretty simple way:

      The ZDNet article @Soptik linked explains it in a pretty simple way:

      The certificate, once installed, will allow local government agencies to decrypt users' HTTPS traffic, look at its content, encrypt it again with their certificate, and send it to its destination.

      2 votes
      1. dont-tread-on-me
        Link Parent
        That is absolutely nuts. Thanks for that.

        That is absolutely nuts. Thanks for that.

        2 votes