Browsers depend on digital certificates installed on a user’s computer or mobile device when establishing a secure connection. These identity certificates are used to prove the ownership of a public key, allowing users to verify a site’s security or to debug connections during website development. Businesses also use them to intercept and monitor internal traffic.
“It is not appropriate for this mechanism to be used to intercept traffic on the public internet. In response to recent actions by the Kazakhstan government, Chrome, along with other browsers, has taken steps to protect users from the interception or modification of TLS connections made to websites,” Google wrote in a blog post. “Chrome will be blocking the [Qaznet] certificate the Kazakhstan government required users to install. The certificate has been added to CRLSet. No action is needed by users to be protected. In addition, the certificate will be added to a blocklist in the Chromium source code and thus should be included in other Chromium-based browsers in due course.”
“To protect our users, Firefox, together with Chrome, will block the use of the Kazakhstan root CA certificate. This means that it will not be trusted by Firefox even if the user has installed it,” Mozilla wrote on its corporate blog. “We believe this is the appropriate response because users in Kazakhstan are not being given a meaningful choice over whether to install the certificate and because this attack undermines the integrity of a critical network security mechanism. When attempting to access a website that responds with this certificate, Firefox users will see an error message stating that the certificate should not be trusted.”
“Users will not be able to click through the message and proceed to the page they were attempting to visit,” Mozilla senior director Marshall Erwin told VentureBeat. “Research shows that many users click through errors without understanding what they mean, leaving them no better off than if there were no warning at all.”
Since intercepted sites will not be accessible via Chrome or Firefox, Mozilla is recommending that users in affected regions install the Tor Browser or a VPN to access the web. “We also strongly encourage anyone who followed the steps to install the Kazakhstan government root certificate to remove it from your devices and to immediately change your passwords, using a strong, unique password for each of your online accounts.”
Facebook, Twitter, and Google targeted
Censored Planet, a monitoring platform run by the University of Michigan which has been performing scans of the network for interference from the Kazakh MITM attacks, found that the majority of domains being targeted are owned by Facebook, Twitter, and Google. That’s not surprising, as Kazakhstan, a former Soviet bloc republic, has been scrutinized by human rights organizations for using Cold War tactics to suppress its people. In March, its first president, Nursultan Nazarbayev, stepped down after 30 years of authoritarian rule. Following the June 12 inauguration of his successor, Kassym-Jomart Tokayev, Human Rights Watch (HRW) posted a letter asking the new president to “bring an end to harassment and reprisals against independent and critical journalists; end the arbitrary blocking of websites, including social media; decriminalize libel; and to commission a review of the media and information law, with a view to making the law compatible with international standards on freedom of the media and speech.”
HRW had expressed hope for a “human rights reset” with the regime change as the oil-rich nation, which makes up nearly two-thirds of Central Asia’s GDP, moves to increase its standing in the global economy. Tokayev pledged to complete the vision for a Digital Kazakhstan with the goal of fostering “pluralism of opinion,” but on July 17 — the same day the first meeting of the National Council of Public Trust was convened to discuss increasing government-citizen communication — Kazakh ISPs began sending out notices to users to install the government spyware.
An Orwellian nightmare?
This may simply be a precursor to wider deployment as Kazakhstan tests its interception system on a fraction of its 18 million citizens. Censored Planet noted that just a small percentage of the population appear to be receiving the injected certificate, even when connecting to affected domains.
“It will be interesting to follow the developments in Kazakhstan. It would come as no surprise if the country’s leaders were to introduce a law that required the installation of their root certificate onto any new devices sold, thereby solving the challenge of how to load the certificate on devices of non-technical users,” threat researcher David Warburton said in a blog post. “Once this root certificate is installed, it will almost certainly never be removed. Since the Qaznet certificate has such as long lifespan [it expires in 2046] there are almost three decades over which threat actors could compromise the private key and begin using it to attack Kazakh citizens.”
VentureBeat asked Mozilla if there is a risk that Kazakhstan’s actions could threaten U.S. interests.
“If a U.S. citizen is communicating with someone in Kazakhstan, the government would be able to see the data you send to that person over HTTPS. The exception would be cases where the application you’re using adds additional security — such as key pinning or another layer of encryption — to protect you,” Erwin explained. “The threat to people is a real one. This attack also gives the government of Kazakhstan the ability to modify or redact information that is being sent back to the user. People’s emails, social media posts, passwords, and banking information could be compromised.”