Apple, Google, and Mozilla Block Kazakhstan's HTTPS Intercepting Certificate (zdnet.com) 80
Apple, Google, and Mozilla have moved in to ban a root certificate the Kazakhstan government used in the past month to spy on its citizens' web traffic. From a report: Starting today, Chrome, Firefox, and Safari will show errors if any HTTPS web traffic is encrypted with the Kazakh government's root or leaf certificates. This coordinated action will ensure the safety of Kazakh users who were forced last month by their local Kazakh ISPs to install this certificate under the threat of not being allowed to use the internet otherwise. Kazakh ISPs forced their customers to install the government's root certificate after the Kazakh government issued a decree and said the measure was "aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats." But in reality, the Kazakh government abused this root certificate installed in millions of users browsers to intercept and decrypt HTTPS traffic users were making to 37 domains, such as such Facebook, Google, Twitter, Instagram, and YouTube.
Certificates were created for spying (Score:1)
Why are they blocking them? Oh... never mind... Competition
Re: (Score:1)
Why are they blocking them? Oh... never mind... Competition
I know Apple and Google are selling me out for those tasty ad dollars, but I'm not so sure Mozilla is as evil as you may think.
Re: (Score:2, Interesting)
The Certificate Business is a far cry from what it should be. Back in the early days HTTPS certs were expensive, however the Cert company actually verified that you were who you are. Then they just lowered the standards over and over. Now that anyone could get a free cert, that means Any scammer can make a page pretending to be a legit site. And with a centralized CERT servers, they can then track who is visiting which site and when.
Browsers should just allow encrypted communication without certificates, a
Re: (Score:2)
What's a centralized CERT server? Do you mean revocation checking? All sites should be configured with OCSP stapling to mitigate this issue. Sadly, most are not...
Re: (Score:1, Troll)
There are different kinds of certificate. The full verification ones are still expensive and still do require them to properly investigate who you are. The free ones don't establish identity, only that the server has a valid certificate for that domain and isn't some MITM attack or DNS hijack.
The real problem is that even properly checking the identity of the certificate holder doesn't really do much to protect people. There are so many companies with similar names, it's not hard to set up a new company wit
Re: (Score:2)
Interesting. The troll moderators are back. They seemed to largely go away when ACs were first banned, but whoever is stalking me is clearly back. String of random down-mods on sequential posts. Probably triggered by upsetting a nuke fan by the look of it.
I had hoped Slashdot's moderation system would get better when ACs were banned, but it seems like it just took them a while to adapt.
Re: (Score:2)
Now that anyone could get a free cert, that means Any scammer can make a page pretending to be a legit site.
You could always setup a page pretending to be a legit site, free cert, paid cert, or no cert at all.
You can't blame free certs for the fact one can register slashdot-org.tldoftheweek and people don't pay attention to where they are going.
Unless you are implying you can get a free cert for the actual "slashdot.org" domain, in which case I would be quite interested to hear how.
Re: (Score:2)
And that's all the certificate actually certifies: That you are indeed talking to the server you think you are talking to. What you think about the organization you are talking to is beyond the certificate's capabilities.
If you go to mail.google.ihackyourbox.cn, get a valid certificate and think you're talking to google, that is your problem. And please tell me how a certificate infrastructure should be able to solve this problem, I'm all ears.
Re: (Score:2)
If you think a certificate says anything about the person or organization behind a server, you're a fool. The only thing a certificate does verify, and the only thing it actually really can, is that the server you are talking to is actually the server you think you are talking to. Not more, not less. If you go to bankofmurrica.com, you may well be presented a valid certificate, but if you think this belongs to the Bank of America, you're an even bigger fool.
Re: (Score:2)
Why are they blocking them? Oh... never mind... Competition
I know Apple and Google are selling me out for those tasty ad dollars, but I'm not so sure Mozilla is as evil as you may think.
AFAIK Apple is not in the business of transforming their user's data into dollars by selling theme out to the highest bidder. Maybe that's why their phones are so expensive. It's their sole source of revenue.
Re: (Score:1)
AFAIK Apple is not in the business of transforming their user's data into dollars by selling theme out to the highest bidder. Maybe that's why their phones are so expensive. It's their sole source of revenue.
From Apple News Advertising [apple.com]: Advertising Opportunities News comes with a built-in advertising platform that helps you earn revenue from the content you publish to Apple News. Campaign management, targeting, and creative and reporting capabilities give you the tools you need to drive your business. Keep 100% of the revenue from ads you sell, and 70% when Apple sells ads for you.
From Apple Search Ads [apple.com]:Your marketing expertise. Our tools. With Apple Search Ads Advanced, you manage your own campaigns. You choo
Re: (Score:2)
Why the anger? Your company likely already does this to you so they can MITM everything you do on company computers.
Re: (Score:2)
With the difference that I'm at my company to work for them and that it's their assets that I use so it's valid that they have an interest to protect them.
China != Kazakhstan? (Score:2, Interesting)
Re:China != Kazakhstan? (Score:4, Informative)
So the same companies
I was unaware that Mozilla was in any way helping the Chinese government. I'm aware that Mozilla China exists but they, as far as I understand, are independent of the Mozilla Corporation and the Mozilla Foundation. However, I do know that they are indeed affiliated with the later in that they promote Mozilla technology. But that affiliation is similar in nature as the Linux Foundation and China Systems, they pay a fee to the trademark of the product and are acknowledged as having paid that fee, but beyond that are kept pretty much at arms length.
However, if there's a deeper connection between Mozilla and the Chinese government, I'm more than happy to hear what it is. Not indicating anything wrong with what you said, just indicating that this would be the first I've heard of it.
Re: (Score:1)
Unlike China, the laws in Kazakhstan do not provide for the castration of the entire family of anyone who would dare to oppose the state. Therefore, in Kazakhstan one is free to tell the Government where to go shove itself. If Google/Apple/Mozilla were to do that in China, they would find themselves in a re-education camp.
However, the answer is simpler than that -- simply follow the money.
Re: (Score:2)
Simple math, really.
Number of internet users in China: 765 million
Number of internet users in Kazakhstan: 13 million
Re: (Score:2)
Not just to help China.
Many companies install MITM sniffers and push wildcard certs via GP to snoop on their employees.
Re: (Score:2)
Again, the shoe fits if Kazakhstan starts handing out computers to its citizens and employs them.
So they are the Earth Police now? (Score:3, Interesting)
Re:So they are the Earth Police now? (Score:4, Insightful)
Mozilla in particular has been policing the use of certificates for a long time now. They have booted entire CAs before, and if you want to set up a new CA you have to convince them that you are legit and have decent security.
And that's a good thing, because they have a track record of being impartial and good at their job. In this case the certificate is bogus - the rules are quite clear, you can't issue certs for other people's domains without permission.
Re: (Score:2)
Mozilla in particular has been policing the use of certificates for a long time now. They have booted entire CAs before, and if you want to set up a new CA you have to convince them that you are legit and have decent security.
And that's a good thing, because they have a track record of being impartial and good at their job. In this case the certificate is bogus - the rules are quite clear, you can't issue certs for other people's domains without permission.
This is NOT a CA that comes pre-installed with browser or operating system. Kazakhstan tried and failed their hand at making that happen.
What the government has actually resorted to is simply asking everyone to manually install a trusted root certificate into their own systems. Nobody has ever had to seek "permission" from anyone except themselves in order to install third party certificates into their systems.
I don't support the notion manual installation of third party certs need ever be cleared by any
Re: (Score:2)
With the difference that I can install the server, let it sit in a sandbox to make the overlords happy, then go browse however I deem appropriate.
Re: (Score:1)
A good thing for ads?
Re: (Score:2)
Someone has to do it. Who would you suggest?
Re: (Score:1)
Will browsers be blocking external https antivirus efforts?
Extensions installed that can see the https in use?
Extensions that block the good tracking and the good ads?
Just the Kazakh government for now?
More changes to the browser CoC expected soon?
So someone can make the internet safe for ads? Safe from most governments?
Re: (Score:2)
The Kazakh government tried to keep its people safe.
Wow. Do you honestly believe that was their intention.
Also, how does forcing the installation of a dodgy root certificate make people safer?
Will browsers be blocking external https antivirus efforts?
They already do. There is no reason for AV software to intercept HTTPS traffic. There are browser APIs for all the functionality that they require.
More changes to the browser CoC expected soon?
What does the CoC covering contributions to the browser code have anything to do with this?
Re: (Score:1)
By a government for use in its own nation?
Does a browser have any other CoC suggestions for other nations governments?
Re: (Score:2)
So if the Chinese said "everyone must install our root cert so that we can spy on them", you would be fine with that and expect browser vendors to cooperate?
And if the Chinese government says to Google "you must censor your search engine for us, to help us control the population", that's fine and Google should do what they ask?
If the NSA says "this encryption is too good, please backdoor it so we can keep reading all your private correspondence", you would backdoor your app to help them out?
That's some auth
Re: (Score:2)
The Kazakh government tried to keep its people safe.
Got more material like that? You could be a stand-up in Vegas.
Re: (Score:1)
If a browser sets the limits to what encryption is approved?
Who gets blocked? Who is allowed?
Some approved root certificates are more equal than others?
Block all govs? Just some bad governments?
What about who gets to stay in the browser? Who gets approved?
Re: (Score:2)
If I choose to install an ad blocker or AV product, that's my choice. I can as well choose not to do so.
Once you noticed the difference between a person or organization protecting its assets and a government considering it citizens assets and trying to "protect" them, we can continue the discussion.
Is it me or is your sig in this context kinda ironic?
Re: (Score:1)
Will a browser company have other advice/view for other nations now?
A global good browser to use its CoC more often? As in the "Earth Police" as mentioned...
What other nations policy direction will get some browser policy CoC support? Correction? Removal?
Thats the difference.
A list of bad nations to be updated soon? Bad brands? Who is next for addition, removal, an international conduct policy?
A nations policy? A brands
Re: (Score:1)
That support for big gov from freedom protecting big tech?
But that was a "good" secret for the FBI, DEA? CIA? GCHQ? And all very legal decryption too AC. A way for big tech to show its patriotism AC?
But Kazakhstan laws in the open are bad AC and big tech will block that. To show its users its a good brand
When the US did PRISM protective big tech did not say much did they AC.
A very selecti
Re: (Score:2)
Not really applicable here. The rules on certs are clear. ANY CA caught issuing bogus certs is subject to this policy, and the root cert in question has no purpose other than issuing bogus certs.
Re: (Score:1)
Re:So they are the Earth Police now? (Score:4)
Re: (Score:2)
The Kazakh government asked *users* to trust their certificates and Mozilla and Google decided not to
FTFY.
Re: (Score:2)
You DO understand that your signature is kinda ironic when compared to the statement you make, yes? Because the Kazakh government is doing this exactly to suppress freedom of speech.
Re: (Score:2)
Sure it's their software and they can do what they want, but do you really want a software and ad company controlling what you can see? Apparently they think they are bigger than a government.
I know being on the anti-Google bandwagon is cool and all, but comparing them to what's going on in Kazakhstan is stupid, and for all the shit people heap on Google there's yet to be a documented case of Google "controlling what you see" in their browser.
Re:So they are the Earth Police now? (Score:4)
This isn't a new story, it's been ongoing for a while now (see here [mozilla.org]). The Mozilla and Google maintainers both discussed this and came to the same completely logical solution: that certifying government-issued MITM certs as trusted is inherently incompatible with the goals of certification to begin with and that the only logical action to take here is to certify that these certificates are untrustworthy. I don't question the result, because it is correct, I only question how long it took to come to a conclusion that I find obvious. Then again, policy changes take a while by necessity so that the process isn't abused, so I don't really question it that much.
The main point of contention I have is how browsers respond to blacklisted certs. In my opinion, there should always be a user override present, but lately Firefox and Chrome have started disabling this option in certain situations. I don't think that makes much sense; if a user knows their traffic is being monitored, there may still be certain situations where making the connection makes sense. For instance, if you're a farmer and you need weather forecasts, you don't care if that request is being monitored by the government, you just care that you're able to get the data. I think the browser's responsibility should end at notifying the user what exactly is going on and what it can mean. If the user chooses to ignore that warning (and I think there are legitimate reasons to do so), then that should be up to them.
Re: (Score:1)
The Kazakh government's stated intention here was to coerce their citizens into using their government-issued cert so they could perform MITM attacks on all traffic their citizens generated (they said it would be mandatory in the future and I fully believe that was their intent, they probably backed down largely because nobody else wanted to play along). This is inherently incompatible with the previously stated goal of certificates and the moment they declared their intention to be such, they abandoned any legitimate claim to their certificates being trustworthy and they deserved to be blacklisted.
How is this different from companies (in USA no less) requiring users on their networks to do the same thing, i.e. installing and trusting a company-issued CA certificate that is used to sign MitM-ed HTTPS sites for purpose of malware inspection, etc?
Browsers should pay more attention at their trusted CA list, not blacklisting user installed private root CA certificates.
Re: (Score:2)
When the Kazakh government employs all their people, gives them a computer with the express intention and order to work for them and get money in return AND lets them use a computer of their own that needn't connect through the mitm-infrastructure in their leisure time, you actually have a case.
Re: (Score:3)
that certifying government-issued MITM certs as trusted is inherently incompatible with the goals of certification to begin with
The entire goal of certificates is to enforce preexisting trust relationships.
The end user has made the decision they trust their government. What higher and more relevant authority than the end user can there possibly be in this matter?
Perhaps browser vendors should do a better job educating their users of the repercussions of installing root certificates. It seems very safe to assume virtually nobody following the instructions have any idea what any of the shit they are doing means or what the repercuss
Re: (Score:3)
It's more like the end user has made the decision that having internet is better than not having internet. They weren't given a choice. The government said "either you do this or in a couple months, we'll shut off your internet access." That's not a matter of trust, it's a matter of necessity.
Re: (Score:2)
It's more like the end user has made the decision that having internet is better than not having internet.
They weren't given a choice. The government said "either you do this or in a couple months, we'll shut off your internet access." That's not a matter of trust, it's a matter of necessity.
Why is any of this relevant? It has yet to be communicated what business unelected unaccountable techno kings have in interjecting their judgment into affairs having nothing to do with them overriding wishes of end users when the end user has not asked for any such interference.
Whatever reasons and pressures going into it the user has in fact made a choice. Good or bad, wrong or right, coerced or free. Whether the user believes it to be their "patriotic duty" to install the cert or there is a gun to thei
Apple just passed $1 trillion in market cap at the (Score:2)
end of July. Kazakhstan's GDP was $170.54 billion in 2018. So just Apple alone is worth many times what Kazakhstan is in the only global metric that matters, money.
It's not at all surprising that they, Google, and other multinational companies would consider themselves to be bigger than governments.
Especially as they are accountable to no one, pay no taxes, and pretty much do whatever the fuck they want with the occasional fine on the wrist where any actual person would be in jail or worse.
Normal for Muslim country (Score:2)
Re: (Score:2)
Has less to do with Muslims, you think Russia is any better, or how about China?
Human Rights or Political Difference (Score:1)
Re: (Score:1)
And who do you mean exactly by "we" ? In this case, "we" is private companies, so your statement would be "I'm not sure private companies should be forcing their political views on other countries".
So let me comment on your statement by a comment of my own:
Why should private companies be forced to comply with the demands of foreign governements ?
Two Thumbs Up (Score:3)
Very Nice!
Mandatory custom-built Chrome (Score:2)
Good reason to get TLS 1.3 adopted everywhere ... (Score:2)
In TLS 1.2 and before, the use of RSA-family ciphers makes it possible for a MiTM to passively decrypt traffic (if they have a valid certificate on the victim OS) after actively intercepting the handshake.
The deprecation of them in favor of ECDHE in TLS1.3 doesn't make interception impossible, but it does mean that MiTM has to actively proxy the entire connection and all the data in it. That makes it significantly more expensive for an adversary relative to only intercepting the handshake and being able to
Re: (Score:2)
> The deprecation of them in favor of ECDHE in TLS1.3 doesn't make interception impossible, but it does mean that MiTM has to actively proxy the entire connection and all the data in it. That makes it significantly more expensive for an adversary relative to only intercepting the handshake and being able to passively decrypt the content (or even store for later passive decryption!).
It's a common feature now in HTTP proxy appliances. Bluecoat sells their boxes on the very basis they are able to handle th
Re: (Score:2)
It's a common feature, but you need to buy a lot of proxy applications to MiTM an entire country.
Security isn't about padlocks, it's about moats and pickets and making life harder and harder for adversaries.
Re: (Score:1)
The situation described in TFA was a case of active MitM proxy.
Re: (Score:2)
There are two variants of "active" --
(1) Active where you decrypt the handshake in order to steal the stream cipher key, but then you can let the entire stream through and decrypt it offline (and out of band). For example, you can just shunt it all to a DB and later decide which streams are interesting. Or you can scan for some content and decide the stream is "OK" and stop decrypting it.
(2) Active where your middlebox encrypts and decrypts each and every packet in the stream. If you stop proxying, the conn
Re: (Score:2)
It's not a panacea, especially since targeted proxying is still possible in these circumstance, but every little bit helps.
It's irrelevant. Kazakhstan is operating a full proxy.
Re: (Score:2)
They are operating a full proxy, but their middlebox does not have to decrypt/encrypt every packet, because they are inserting a non-ECDHE cipher into the handshake.
This makes it a lot cheaper.
Untrusted certificate, why blacklist? (Score:1)
My understanding from reading the article linked in TFA is that it was not even a trusted certificate.
https://www.zdnet.com/article/... [zdnet.com]
Local internet service providers (ISPs) have been instructed by the local government to force their respective users into installing a government-issued certificate on all devices, and in every browser.
Kazakh users trying to access the internet since yesterday have been redirected to web pages that contained instructions on how to install the government's root certificate in their respective browsers, may it be a desktop or mobile device.
As a user you really have no options here. Your ISP is already MitM-ing your traffic, they just offer you a convenience of not having browser certificate warnings/errors.
Tomorrow their government can issue a new self-signed root CA and update the instructions for citizens to install and trust that. I don't see how browsers blacklisting untrusted certificates solves the prob
Re: (Score:2)
Simple. Blacklisting certificates is easier than issuing them. It's a war of expenses, if it's more expensive for your adversary than for you, you come out ahead.
disservice to oligarchs (Score:2)
Won't anyone think of the incredible disservice this does to oligarchs and their dictatorial governments, to the thousands of secret police and other jackbooted thugs who depend on these tools to crack down on dissidents, squash democracy, and crush the free exchange and expression of unpatriotic ideals? C'mon ;(
Re: (Score:2)
Re: (Score:2)
Which is probably going to upset way more people than a government spying on them.
a good start but (Score:3)
Now do China.