Budapest Post

Cum Deo pro Patria et Libertate
Budapest, Europe and world news

Kazakhstan tries and fails to MITM all of its internet users with rogue certificate installation

Kazakhstan tries and fails to MITM all of its internet users with rogue certificate installation

On July 17th, 2019, the government of Kazakhstan enacted a new cybersecurity measure that aims to spy on its citizens’ internet traffic. Specifically, the Kazakh government ordered all of the internet service providers (ISPs) to force their customers to install a government-issued root certificate by Qaznet Trust Network on all of their internet accessing devices.

If installed, this MITM cert allows the government to intercept, decrypt, analyze, then re-encrypt all browser encrypted HTTPS traffic in a country wide man-in-the-middle (MITM) attack.

Since Wednesday, Kazakh internet users have been redirected to instructional pages asking them to install the new certificate. Forcing all of Kazakhstan’s internet through one government issued certificate is a gargantuan privacy issue, but it is also a security issue. Any hacker that gets control of the Quaznet domain will be able to view the supposedly encrypted personal information from Kazakh internet users. Passwords, usernames, credit card information, all of it would be available unencrypted in such a scenario.

To their credit, a Kazakh official clarified on July 19th, 2019 that the installation of the certificate was voluntary and not a prerequisite to accessing the internet.

Officials from the Ministry of Digital Development, Innovation and Aerospace stated that the new rule was “aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats,” but that clearly doesn’t seem to be the case. Messaging on the MITM cert install page by one Kazakh service provider, Kcell, specified what some of those “other types of cyber threats” just might be:  “A security certificate is a set of electronic digital symbols used to pass traffic that contains protocols that support encryption. Thus, it will allow Kazakhstani Internet users to be protected from hacker attacks and viewing illegal content.”

The notice-to-be-mitm also specifies that Linux users are exempt from downloading this rogue cert:

    “[…] the installation of a security certificate must be performed from each device that will be used to access the Internet (mobile phones and tablets based on iOS / Android, personal computers and laptops based on Windows / MacOS).”

The privacy and cryptography community online has responded with a particular uproar. MITM attacks by ISPs are bad enough when it’s done by the ISP for economic gain reasons. When it’s ordered by a government which overseas millions of citizens, it is a look into the future dystopia. If Kazakhstan succeeds in this, the country will join North Korea in a short list of countries that have more of an intranet than an internet. The real fear, which Dr. Green articulates concisely, is the thought of tech-illiterate politicians in democratic governments around the world salivating at the mouth while considering Kazakhstan’s new internet policy as a good one.

  

A state entity is trying to MITM its citizens… How will internet browsers react?


Will browsers ban this certificate, even if it isn’t mandatory, essentially disabling the ability for the Kazakh government and ISPs to spy on Kazakh citizens? Or will they allow this certificate to be and show some sort of persistent warning instead? Some believe that this is no different than internet access as exists in some managed, corporate settings.

One commenter on the Mozilla (Firefox) bugthread has a passionate plea to the former with the argument that only by taking the nuclear approach and blocking Kazakhstan’s MITM cert will the wider internet community be able to stop Kazakhstan from achieving its goal of intercepting all HTTPS traffic within the country. Allegedly, the threat of this is what caused the government to back down on this same plan in 2016.

    I am a citizen of Kazakhstan. If Mozilla/Google Chrome developers see this message,I kindly ask you to consider blocking the above mentioned certificate and any access to your browsers for the certificate holders. If this certificate didn’t pass Web trust audit, it can be the same as presented in 2016. So blocking it from the major world browsers is the only chance for kazakhs to avoid MITM attacks and keep at least some privacy rights (meaning that if blocked/blacklisted, the government will have to call back the certificate as it was done in 2016). […] If the certificate is not blacklisted, but only the visual message will pop up warning users about untrusted certificate – it will not help since majority of citizens (especially elderly ones) simply will not pay enough attention to such [a] message.

Since 2016, the Kazakh officials have added language that allows for exceptions to their MITM plan that graciously “allows” for encrypted traffic to bypass this MITM. The commenter also noted that the government does feel that they have bypassed the issues from their last rollout of their countrywide MITM attack:

    The request to install the certificate is distributed via sms (as of now – only to the capital’s citizens). The last change in the law that the officials are referring to was done in December 2017. Clause 3-1, subclause 4) says that “Providers of international network are required to …4) to pass traffic using protocols that support encryption via security certificates, with the exception of traffic that was encrypted in Kazakhstan by cryptographic tools for data security”.

If browsers blacklist the certificate, and in essence take the stance that they will not let the Kazakh government spy on its citizens using their software, it’s possible that the Kazakh government will back down; however, it’s also possible that the Kazakh government might just force Kazakh ISPs to encourage the use of a state run browser – which would likely be forked from Chromium or Firefox anyways. This issue, as articulated by Matthew Hardeman in the corresponding email listserv discussion, leads to different a scenario where Kazakh citizens have both their privacy and security violated.

What ends up happening at the browser level is still unclear – all the large industry stakeholders such as Microsoft, Mozilla, and Google are all discussing the issue in earnest but nothing has been decided as of yet. In the meantime, Kazakh internet users need to protect themselves by encrypting their internet traffic themselves and avoiding the installation of this certificate at all costs – possibly by switching to Linux. Even if the certificate isn’t necessary to access the internet, many Kazakh internet users will get that impression from the language presented by their ISPs.

AI Disclaimer: An advanced artificial intelligence (AI) system generated the content of this page on its own. This innovative technology conducts extensive research from a variety of reliable sources, performs rigorous fact-checking and verification, cleans up and balances biased or manipulated content, and presents a minimal factual summary that is just enough yet essential for you to function as an informed and educated citizen. Please keep in mind, however, that this system is an evolving technology, and as a result, the article may contain accidental inaccuracies or errors. We urge you to help us improve our site by reporting any inaccuracies you find using the "Contact Us" link at the bottom of this page. Your helpful feedback helps us improve our system and deliver more precise content. When you find an article of interest here, please look for the full and extensive coverage of this topic in traditional news sources, as they are written by professional journalists that we try to support, not replace. We appreciate your understanding and assistance.
Newsletter

Related Articles

0:00
0:00
Close
Trump Threatens Retaliatory Tariffs After EU Imposes €2.95 Billion Fine on Google
Tesla Board Proposes Unprecedented One-Trillion-Dollar Performance Package for Elon Musk
Gold Could Reach Nearly $5,000 if Fed Independence Is Undermined, Goldman Sachs Warns
Uruguay, Colombia and Paraguay Secure Places at 2026 World Cup
Trump Administration Advances Plans to Rebrand Pentagon as Department of War Instead of the Fake Term Department of Defense
Big Tech Executives Laud Trump at White House Dinner, Unveil Massive U.S. Investments
Tether Expands into Gold Sector with Profit-Driven Diversification
‘Looks Like a Wig’: Online Users Express Concern Over Kate Middleton
Florida’s Vaccine Revolution: DeSantis Declares War on Mandates
Trump’s New War – and the ‘Drug Tyrant’ Fearing Invasion: ‘1,200 Missiles Aimed at Us’
"The Situation Has Never Been This Bad": The Fall of PepsiCo
At the Parade in China: Laser Weapons, 'Eagle Strike,' and a Missile Capable of 'Striking Anywhere in the World'
The Fashion Designer Who Became an Italian Symbol: Giorgio Armani Has Died at 91
Putin Celebrates ‘Unprecedentedly High’ Ties with China as Gazprom Seals Power of Siberia-2 Deal
China Unveils New Weapons in Grand Military Parade as Xi Hosts Putin and Kim
Rapper Cardi B Cleared of Liability in Los Angeles Civil Assault Trial
Google Avoids Break-Up in U.S. Antitrust Case as Stocks Rise
Couple celebrates 80th wedding anniversary at assisted living facility in Lancaster
Information Warfare in the Age of AI: How Language Models Become Targets and Tools
The White House on LinkedIn Has Changed Their Profile Picture to Donald Trump
"Insulted the Prophet Muhammad": Woman Burned Alive by Angry Mob in Niger State, Nigeria
Trump Responds to Death Rumors – Announces 'Missile City'
Druzhba Pipeline Incident Sparks Geopolitical Tensions
Cost of Opposition Leader Péter Magyar's Economic Plan Revealed
Germany in Turmoil: Ukrainian Teenage Girl Pushed to Death by Illegal Iraqi Migrant
United Krack down on human rights: Graham Linehan Arrested at Heathrow Over Three X Posts, Hospitalised, Released on Bail with Posting Ban
Asian and Middle Eastern Investors Avoid US Markets
Ray Dalio Warns of US Shift to Autocracy
Eurozone Inflation Rises to 2.1% in August
Russia and China Sign New Gas Pipeline Deal
Von der Leyen's Plane Hit by Suspected Russian GPS Interference in an Incident Believed to Be Caused by Russia or by Pro-Peace or by Anti-Corruption European Activists
China's Robotics Industry Fuels Export Surge
Suntory Chairman Resigns After Police Probe
Gold Price Hits New All-Time Record
UK Fintechs Explore Buying US Banks
Greece Suspends 5% of Schools as Birth Rate Drops
Apollo to Launch $5 Billion Sports Investment Vehicle
Bolsonaro Trial Nears Close Amid US-Brazil Tension
European Banks Push for Lower Cross-Border Barriers
Poland's Offshore Wind Sector Attracts Investors
Budapest Central European Fashion Week Kicks Off
U.S. Celebrates Labor Day
Hungarian National Team Captain Scores Epic Goal
EU is getting aggressive: Four AfD Candidates Die Unexpectedly Ahead of North Rhine-Westphalia Local Elections
Japanese Customer Sways from VW to BYD after “Unbelievable” Test Drive amid Dealership Expansion
Nestlé Removes CEO Laurent Freixe Following Undisclosed Relationship with Subordinate
Pickles are the latest craze among Generation Z in the United States.
Giuliani Seriously Injured in Accident – Trump to Award Him the Presidential Medal of Freedom
Deadline Day Delivers Record £125m Isak Move and Donnarumma to City
Nvidia Reveals: Two Mystery Customers Account for About 40% of Revenue
×