Major browser makers are blocking the use of a root certificate that Kazakhstan’s government has used to intercept Internet traffic.
Mozilla and Google issued a joint announcement today saying that “the companies deployed technical solutions within Firefox and Chrome to block the Kazakhstan government’s ability to intercept Internet traffic within the country.” Each company is deploying “a technical solution unique to its browser,” they said.
Apple told Ars that it is also blocking the ability to use the certificate to intercept Internet traffic.
Kazakhstan reportedly said it halted the use of the certificate. But the browser makers’ actions could protect users who already installed it or prevent future use of the certificate by Kazakhstan’s government.
Mozilla and Google said they took the action in response to “credible reports that Internet service providers in Kazakhstan have required people in the country to download and install a government-issued certificate on all devices and in every browser in order to access the Internet.” The certificate “allowed the [Kazakhstan] government to decrypt and read anything a user types or posts, including intercepting their account information and passwords,” the companies wrote. “This targeted people visiting popular sites Facebook, Twitter, and Google, among others.”
Certificate blocked after installation
Mozilla explained in another post that the Kazakhstan root certificate “will not be trusted by Firefox even if the user has installed it.”
“We believe this is the appropriate response because users in Kazakhstan are not being given a meaningful choice over whether to install the certificate and because this attack undermines the integrity of a critical network security mechanism,” Mozilla said. The company also encouraged Internet users in Kazakhstan to “research the use of virtual private network (VPN) software, or the Tor Browser, to access the Web.”
Similarly, Google said that “Chrome will be blocking the certificate the Kazakhstan government required users to install” and that “no action is needed by users to be protected.”
Google added the certificate to CRLSets, which Chrome uses to “quickly block certificates in emergency situations.”
Moreover, Google said that “the certificate will be added to a blocklist in the Chromium source code and thus should be included in other Chromium based browsers in due course.”
Mozilla doesn’t “take actions like this lightly, but protecting our users and the integrity of the Web is the reason Firefox exists,” Mozilla Senior Director of Trust and Security Marshall Erwin said.
Chrome Senior Engineering Director Parisa Tabriz said that Google “will never tolerate any attempt, by any organization—government or otherwise—to compromise Chrome users’ data.”
When contacted by Ars, Apple said it is blocking the certificate so that it cannot be used to intercept Internet traffic even after a user has installed it.
“Apple believes privacy is a fundamental human right, and we design every Apple product from the ground up to protect personal information,” Apple also said in a statement to Ars and other media outlets. “We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue.” This covers Safari for both iOS and MacOS, Apple told Ars.
Edge and Internet Explorer
The situation with Microsoft is a bit murkier.
Microsoft, the maker of Edge and Internet Explorer, told Motherboard that “The Certificate Authority (CA) in question is not a trusted CA in our Trusted Root Program.” That means the certificate will not be installed by default, but a browser user could choose to install it.
Not trusting the certificate isn’t necessarily enough to prevent users from being spied on, though. A Censored Planet report from July 23 that Mozilla and Google referred to said, “The CA is not trusted by browsers by default, and must be installed manually by a user.”
But Internet users in Kazakhstan “cannot access affected sites at all if they do not install the root certificate for the fake CA and allow interception,” the report said.
Microsoft not trusting the certificate might make it a bit harder for users to install it. But if Microsoft isn’t blocking the ability to spy on users after the certificate has been installed, they wouldn’t be protected like users of other browsers.
On the plus side, Microsoft is in the process of switching Edge to a Chromium back-end, so Edge would eventually get the protection built into Chromium. But the Chromium-based Edge is still in beta.
We asked Microsoft about how it’s handling the Kazakhstan certificate and will update this article if we get a response.
Update: Microsoft gave us the same statement it previously gave to Motherboard, but provided no response to our question about whether it is doing anything to block the ability to spy on users after the certificate has been installed.
Kazakhstan prez: “There are no grounds for concerns”
A Reuters story on August 7 said that “Kazakhstan has halted the implementation of an Internet surveillance system criticized by lawyers as illegal, with the government describing its initial rollout as a test.”
State security officials claimed they were trying to protect people in Kazakhstan from “hacker attacks, online fraud and other kinds of cyber threats,” Reuters wrote.
Kazakhstan President Kassym-Jomart Tokayev “said in a tweet he had personally ordered the test which showed that protective measures ‘would not inconvenience Kazakh Internet users,'” Reuters wrote. “There are no grounds for concerns,” Tokayev also said.
The Mozilla/Google post noted that this was “not the first attempt by the Kazakhstan government to intercept the Internet traffic of everyone in the country.”
The companies wrote:
In 2015, the Kazakhstan government attempted to have a root certificate included in Mozilla’s trusted root store program. After it was discovered that they were intending to use the certificate to intercept user data, Mozilla denied the request. Shortly after, the government forced citizens to manually install its certificate but that attempt failed after organizations took legal action.
https://arstechnica.com/?p=1555809