On Wednesday, Google, Apple, and Mozilla said their web browsers will block the Kazakhstan root Certificate Authority (CA) certificate – following reports that ISPs in the country have required customers to install a government-issued certificate that enables online spying.
According to the University of Michigan's Censored Planet project, the country's snoops "recently began using a fake root CA to perform a man-in-the-middle (MitM) attack against HTTPS connections to websites including Facebook, Twitter, and Google."
A root CA certificate can, to put it simply, be abused to intercept and access otherwise protected communication between internet users and websites.
The Censored Planet report indicates that researchers first detected data interception on July 17, a practice that has continued intermittently since then (though discussions of Kazakhstan's possible abuse of root CA certificates date back several years).
The interception does not appear to be widespread – it's said to affect only 459 (7 per cent) of the country's 6,736 HTTPS servers. But it affects 37 domains, largely social media and communications services linked to Google, Facebook, and Twitter domains, among others.
Kazakhstan has a population of 18m and 76 per cent internet penetration, according to advocacy group Freedom House, which rates it 62 on a scale of 100 for lack of internet freedom – 100 means no internet access.
Two weeks ago, the government of Kazakhstan said it had discontinued its internet surveillance scheme, initially justified as a way to improve cybersecurity, after lawyers in the country criticized the move.
In notifications to Kazakhstani telecom customers, mobile operators maintained that the government-mandated security certificate represented a lawful demand. Yet, in a statement on August 6, the National Security Committee of the Republic of Kazakhstan said the certificate requirement was just a test, and a successful one at that. And the committee provided instructions for removing the certificate from Android, iOS and Windows devices.
In 2015, Kazakhstan tried to get its root CA certificate into Mozilla trusted root store program but was rebuffed, and then tried to get its citizens to install the cert themselves until thwarted by legal action.
"As far as we know, the installation of the certificate is not legally required in Kazakhstan at this time," a Mozilla spokesperson said in an email to The Register.
"The government has said that installing the cert is a voluntary measure that is meant to protect people’s security. There’s no evidence to suggest that’s true. Quite the opposite. We’ve seen this certificate used to intercept communications, which is why we took action to block the certificate and protect the privacy and security of our users."
Mozilla recently took similar anti-surveillance action to prevent online spying in the United Arab Emirates.
Mozilla boots alleged snoop troupe from its root cert coop: UAE-based DarkMatter thrown onto CA blocklistREAD MORE
Google, Apple and Mozilla, find such behavior unacceptable, at least when it comes to a government without much international power. Recall Google was planning to develop a censored search engine for mainland China until employee objections derailed the project.
“People around the world trust Firefox to protect them as they navigate the internet, especially when it comes to keeping them safe from attacks like this that undermine their security," said Marshall Erwin, senior director of trust and security at Mozilla in a statement. "We don't take actions like this lightly, but protecting our users and the integrity of the web is the reason Firefox exists."
Google in its statement sounded similarly indignant. "We will never tolerate any attempt, by any organization – government or otherwise – to compromise Chrome users' data. We have implemented protections from this specific issue, and will always take action to secure our users around the world," said Parisa Tabriz, senior engineering director for Chrome.
"Apple believes privacy is a fundamental human right, and we design every Apple product from the ground up to protect personal information," Cook & Co told The Register. "We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue.” ®