Budapest Post

Cum Deo pro Patria et Libertate
Budapest, Europe and world news

Kazakhstan tries and fails to MITM all of its internet users with rogue certificate installation

Kazakhstan tries and fails to MITM all of its internet users with rogue certificate installation

On July 17th, 2019, the government of Kazakhstan enacted a new cybersecurity measure that aims to spy on its citizens’ internet traffic. Specifically, the Kazakh government ordered all of the internet service providers (ISPs) to force their customers to install a government-issued root certificate by Qaznet Trust Network on all of their internet accessing devices.

If installed, this MITM cert allows the government to intercept, decrypt, analyze, then re-encrypt all browser encrypted HTTPS traffic in a country wide man-in-the-middle (MITM) attack.

Since Wednesday, Kazakh internet users have been redirected to instructional pages asking them to install the new certificate. Forcing all of Kazakhstan’s internet through one government issued certificate is a gargantuan privacy issue, but it is also a security issue. Any hacker that gets control of the Quaznet domain will be able to view the supposedly encrypted personal information from Kazakh internet users. Passwords, usernames, credit card information, all of it would be available unencrypted in such a scenario.

To their credit, a Kazakh official clarified on July 19th, 2019 that the installation of the certificate was voluntary and not a prerequisite to accessing the internet.

Officials from the Ministry of Digital Development, Innovation and Aerospace stated that the new rule was “aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats,” but that clearly doesn’t seem to be the case. Messaging on the MITM cert install page by one Kazakh service provider, Kcell, specified what some of those “other types of cyber threats” just might be:  “A security certificate is a set of electronic digital symbols used to pass traffic that contains protocols that support encryption. Thus, it will allow Kazakhstani Internet users to be protected from hacker attacks and viewing illegal content.”

The notice-to-be-mitm also specifies that Linux users are exempt from downloading this rogue cert:

    “[…] the installation of a security certificate must be performed from each device that will be used to access the Internet (mobile phones and tablets based on iOS / Android, personal computers and laptops based on Windows / MacOS).”

The privacy and cryptography community online has responded with a particular uproar. MITM attacks by ISPs are bad enough when it’s done by the ISP for economic gain reasons. When it’s ordered by a government which overseas millions of citizens, it is a look into the future dystopia. If Kazakhstan succeeds in this, the country will join North Korea in a short list of countries that have more of an intranet than an internet. The real fear, which Dr. Green articulates concisely, is the thought of tech-illiterate politicians in democratic governments around the world salivating at the mouth while considering Kazakhstan’s new internet policy as a good one.

  

A state entity is trying to MITM its citizens… How will internet browsers react?


Will browsers ban this certificate, even if it isn’t mandatory, essentially disabling the ability for the Kazakh government and ISPs to spy on Kazakh citizens? Or will they allow this certificate to be and show some sort of persistent warning instead? Some believe that this is no different than internet access as exists in some managed, corporate settings.

One commenter on the Mozilla (Firefox) bugthread has a passionate plea to the former with the argument that only by taking the nuclear approach and blocking Kazakhstan’s MITM cert will the wider internet community be able to stop Kazakhstan from achieving its goal of intercepting all HTTPS traffic within the country. Allegedly, the threat of this is what caused the government to back down on this same plan in 2016.

    I am a citizen of Kazakhstan. If Mozilla/Google Chrome developers see this message,I kindly ask you to consider blocking the above mentioned certificate and any access to your browsers for the certificate holders. If this certificate didn’t pass Web trust audit, it can be the same as presented in 2016. So blocking it from the major world browsers is the only chance for kazakhs to avoid MITM attacks and keep at least some privacy rights (meaning that if blocked/blacklisted, the government will have to call back the certificate as it was done in 2016). […] If the certificate is not blacklisted, but only the visual message will pop up warning users about untrusted certificate – it will not help since majority of citizens (especially elderly ones) simply will not pay enough attention to such [a] message.

Since 2016, the Kazakh officials have added language that allows for exceptions to their MITM plan that graciously “allows” for encrypted traffic to bypass this MITM. The commenter also noted that the government does feel that they have bypassed the issues from their last rollout of their countrywide MITM attack:

    The request to install the certificate is distributed via sms (as of now – only to the capital’s citizens). The last change in the law that the officials are referring to was done in December 2017. Clause 3-1, subclause 4) says that “Providers of international network are required to …4) to pass traffic using protocols that support encryption via security certificates, with the exception of traffic that was encrypted in Kazakhstan by cryptographic tools for data security”.

If browsers blacklist the certificate, and in essence take the stance that they will not let the Kazakh government spy on its citizens using their software, it’s possible that the Kazakh government will back down; however, it’s also possible that the Kazakh government might just force Kazakh ISPs to encourage the use of a state run browser – which would likely be forked from Chromium or Firefox anyways. This issue, as articulated by Matthew Hardeman in the corresponding email listserv discussion, leads to different a scenario where Kazakh citizens have both their privacy and security violated.

What ends up happening at the browser level is still unclear – all the large industry stakeholders such as Microsoft, Mozilla, and Google are all discussing the issue in earnest but nothing has been decided as of yet. In the meantime, Kazakh internet users need to protect themselves by encrypting their internet traffic themselves and avoiding the installation of this certificate at all costs – possibly by switching to Linux. Even if the certificate isn’t necessary to access the internet, many Kazakh internet users will get that impression from the language presented by their ISPs.

AI Disclaimer: An advanced artificial intelligence (AI) system generated the content of this page on its own. This innovative technology conducts extensive research from a variety of reliable sources, performs rigorous fact-checking and verification, cleans up and balances biased or manipulated content, and presents a minimal factual summary that is just enough yet essential for you to function as an informed and educated citizen. Please keep in mind, however, that this system is an evolving technology, and as a result, the article may contain accidental inaccuracies or errors. We urge you to help us improve our site by reporting any inaccuracies you find using the "Contact Us" link at the bottom of this page. Your helpful feedback helps us improve our system and deliver more precise content. When you find an article of interest here, please look for the full and extensive coverage of this topic in traditional news sources, as they are written by professional journalists that we try to support, not replace. We appreciate your understanding and assistance.
Newsletter

Related Articles

0:00
0:00
Close
Tokyo’s Jimbōchō Named World’s Coolest Neighbourhood for 2025
European Officials Fear Trump May Shift Blame for Ukraine War onto EU
The Personality Rights Challenge in India’s AI Era
Italy Considers Freezing Retirement Age at 67 to Avert Scheduled Hike
Italian City to Impose Tax on Visiting Dogs Starting in 2026
Study Finds No Safe Level of Alcohol for Dementia Risk
Trump Says Ukraine Can Fully Restore Borders with NATO Backing
Europe Signals Stronger Support for Taiwan at Major Taipei Defence Show
Germany Weighs Excluding France from Key European Fighter Jet Programme
Cyberattack Disrupts Check-in and Boarding Systems at Major European Airports
Björn Borg Breaks Silence: Memoir Reveals Addiction, Shame and Cancer Battle
When Extremism Hijacks Idealism: How the Baader-Meinhof Gang Emerged and Fell
JWST Data Brings TRAPPIST-1e Closer to Earth-Like Habitability
Trump Orders $100,000 Fee on H-1B Visas and Launches ‘Gold Card’ Immigration Pathway
France’s Looming Budget Crisis and Political Fracture Raise Fears of Becoming Europe’s “Sick Man”
Three Russian MiG-31 Jets Breach Estonian Airspace in ‘Unprecedentedly Brazen’ NATO Incident
European manufacturers against ban on polluting cars: "The industry may collapse"
Turkish car manufacturer Togg Enters German Market with 5-Star Electric Sedan and SUV to Challenge European EV Brands
Christian Brueckner Released from German Prison after Serving Unrelated Sentence
World’s Longest Direct Flight China Eastern to Launch 29-Hour Shanghai–Buenos Aires Direct Flight via Auckland in December
New OpenAI Study Finds Majority of ChatGPT Use Is Personal, Not Professional
The conservative right spreads westward: a huge achievement for 'Alternative for Germany' in local elections
Pope Leo Warns of Societal Crisis Over Mega-CEO Pay, Citing Tesla’s Proposed Trillion-Dollar Package
Poland Green-Lights NATO Deployment in Response to Major Russian Drone Incursion
U.S. and China Agree on Framework to Shift TikTok to American Ownership
Le Pen Tightens the Pressure on Macron as France Edges Toward Political Breakdown
Czech Republic signs €1.34 billion contract for Leopard 2A8 main battle tanks with delivery from 2028
Penske Media Sues Google Over “AI Overviews,” Claiming It Uses Journalism Without Consent and Destroys Traffic
Indian Student Engineers Propose “Project REBIRTH” to Protect Aircraft from Crashes Using AI, Airbags and Smart Materials
One in Three Europeans Now Uses TikTok, According to the Chinese Tech Giant
Could AI Nursing Robots Help Healthcare Staffing Shortages?
NATO Deploys ‘Eastern Sentry’ After Russian Drones Violate Polish Airspace
The New Life of Novak Djokovic
German police raid AfD lawmaker’s offices in inquiry over Chinese payments
Volkswagen launches aggressive strategy to fend off Chinese challenge in Europe’s EV market
France Erupts in Mass ‘Block Everything’ Protests on New PM’s First Day
Poland Shoots Down Russian Drones in Airspace Violation During Ukraine Attack
Apple Introduces Ultra-Thin iPhone Air, Enhanced 17 Series and New Health-Focused Wearables
Macron Appoints Sébastien Lecornu as Prime Minister Amid Budget Crisis and Political Turmoil
Vatican hosts first Catholic LGBTQ pilgrimage
Apple Unveils iPhone 17 Series, iPhone Air, Apple Watch 11 and More at 'Awe Dropping' Event
France joins Eurozone’s ‘periphery’ as turmoil deepens, say investors
France Faces New Political Crisis, again, as Prime Minister Bayrou Pushed Out
Nayib Bukele Points Out Belgian Hypocrisy as Brussels Considers Sending Army into the Streets
France, at an Impasse, Heads Toward Another Government Collapse
The Country That Got Too Rich? Public Spending Dominates Norway Election
EU Proposes Phasing Out Russian Oil and Gas by End of 2027 to End Energy Dependence
More Than 150,000 Followers for a Fictional Character: The New Influencers Are AI Creations
EU Prepares for War
Trump Threatens Retaliatory Tariffs After EU Imposes €2.95 Billion Fine on Google
×