Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Chrome Firefox Mozilla Privacy Security IT

Apple, Google, and Mozilla Block Kazakhstan's HTTPS Intercepting Certificate (zdnet.com) 80

Apple, Google, and Mozilla have moved in to ban a root certificate the Kazakhstan government used in the past month to spy on its citizens' web traffic. From a report: Starting today, Chrome, Firefox, and Safari will show errors if any HTTPS web traffic is encrypted with the Kazakh government's root or leaf certificates. This coordinated action will ensure the safety of Kazakh users who were forced last month by their local Kazakh ISPs to install this certificate under the threat of not being allowed to use the internet otherwise. Kazakh ISPs forced their customers to install the government's root certificate after the Kazakh government issued a decree and said the measure was "aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats." But in reality, the Kazakh government abused this root certificate installed in millions of users browsers to intercept and decrypt HTTPS traffic users were making to 37 domains, such as such Facebook, Google, Twitter, Instagram, and YouTube.
This discussion has been archived. No new comments can be posted.

Apple, Google, and Mozilla Block Kazakhstan's HTTPS Intercepting Certificate

Comments Filter:
  • by Anonymous Coward

    Why are they blocking them? Oh... never mind... Competition

    • Why are they blocking them? Oh... never mind... Competition

      I know Apple and Google are selling me out for those tasty ad dollars, but I'm not so sure Mozilla is as evil as you may think.

      • Re: (Score:2, Interesting)

        by jellomizer ( 103300 )

        The Certificate Business is a far cry from what it should be. Back in the early days HTTPS certs were expensive, however the Cert company actually verified that you were who you are. Then they just lowered the standards over and over. Now that anyone could get a free cert, that means Any scammer can make a page pretending to be a legit site. And with a centralized CERT servers, they can then track who is visiting which site and when.

        Browsers should just allow encrypted communication without certificates, a

        • by XanC ( 644172 )

          What's a centralized CERT server? Do you mean revocation checking? All sites should be configured with OCSP stapling to mitigate this issue. Sadly, most are not...

        • Re: (Score:1, Troll)

          by AmiMoJo ( 196126 )

          There are different kinds of certificate. The full verification ones are still expensive and still do require them to properly investigate who you are. The free ones don't establish identity, only that the server has a valid certificate for that domain and isn't some MITM attack or DNS hijack.

          The real problem is that even properly checking the identity of the certificate holder doesn't really do much to protect people. There are so many companies with similar names, it's not hard to set up a new company wit

          • by AmiMoJo ( 196126 )

            Interesting. The troll moderators are back. They seemed to largely go away when ACs were first banned, but whoever is stalking me is clearly back. String of random down-mods on sequential posts. Probably triggered by upsetting a nuke fan by the look of it.

            I had hoped Slashdot's moderation system would get better when ACs were banned, but it seems like it just took them a while to adapt.

        • by dissy ( 172727 )

          Now that anyone could get a free cert, that means Any scammer can make a page pretending to be a legit site.

          You could always setup a page pretending to be a legit site, free cert, paid cert, or no cert at all.

          You can't blame free certs for the fact one can register slashdot-org.tldoftheweek and people don't pay attention to where they are going.

          Unless you are implying you can get a free cert for the actual "slashdot.org" domain, in which case I would be quite interested to hear how.

        • If you think a certificate says anything about the person or organization behind a server, you're a fool. The only thing a certificate does verify, and the only thing it actually really can, is that the server you are talking to is actually the server you think you are talking to. Not more, not less. If you go to bankofmurrica.com, you may well be presented a valid certificate, but if you think this belongs to the Bank of America, you're an even bigger fool.

      • by Pieroxy ( 222434 )

        Why are they blocking them? Oh... never mind... Competition

        I know Apple and Google are selling me out for those tasty ad dollars, but I'm not so sure Mozilla is as evil as you may think.

        AFAIK Apple is not in the business of transforming their user's data into dollars by selling theme out to the highest bidder. Maybe that's why their phones are so expensive. It's their sole source of revenue.

        • AFAIK Apple is not in the business of transforming their user's data into dollars by selling theme out to the highest bidder. Maybe that's why their phones are so expensive. It's their sole source of revenue.

          From Apple News Advertising [apple.com]: Advertising Opportunities News comes with a built-in advertising platform that helps you earn revenue from the content you publish to Apple News. Campaign management, targeting, and creative and reporting capabilities give you the tools you need to drive your business. Keep 100% of the revenue from ads you sell, and 70% when Apple sells ads for you.

          From Apple Search Ads [apple.com]:Your marketing expertise. Our tools. With Apple Search Ads Advanced, you manage your own campaigns. You choo

    • by nyet ( 19118 )

      Why the anger? Your company likely already does this to you so they can MITM everything you do on company computers.

      • With the difference that I'm at my company to work for them and that it's their assets that I use so it's valid that they have an interest to protect them.

  • So the same companies that trip over themselves to help China censor and invade the privacy of its citizens suddenly have a moral backbone when it comes to Kazakhstan? Why?
    • by slack_justyb ( 862874 ) on Wednesday August 21, 2019 @11:02AM (#59109364)

      So the same companies

      I was unaware that Mozilla was in any way helping the Chinese government. I'm aware that Mozilla China exists but they, as far as I understand, are independent of the Mozilla Corporation and the Mozilla Foundation. However, I do know that they are indeed affiliated with the later in that they promote Mozilla technology. But that affiliation is similar in nature as the Linux Foundation and China Systems, they pay a fee to the trademark of the product and are acknowledged as having paid that fee, but beyond that are kept pretty much at arms length.

      However, if there's a deeper connection between Mozilla and the Chinese government, I'm more than happy to hear what it is. Not indicating anything wrong with what you said, just indicating that this would be the first I've heard of it.

    • Unlike China, the laws in Kazakhstan do not provide for the castration of the entire family of anyone who would dare to oppose the state. Therefore, in Kazakhstan one is free to tell the Government where to go shove itself. If Google/Apple/Mozilla were to do that in China, they would find themselves in a re-education camp.

      However, the answer is simpler than that -- simply follow the money.

    • Simple math, really.

      Number of internet users in China: 765 million
      Number of internet users in Kazakhstan: 13 million

    • by nyet ( 19118 )

      Not just to help China.

      Many companies install MITM sniffers and push wildcard certs via GP to snoop on their employees.

  • by Fly Swatter ( 30498 ) on Wednesday August 21, 2019 @10:49AM (#59109320) Homepage
    Sure it's their software and they can do what they want, but do you really want a software and ad company controlling what you can see? Apparently they think they are bigger than a government.
    • by AmiMoJo ( 196126 ) on Wednesday August 21, 2019 @11:22AM (#59109460) Homepage Journal

      Mozilla in particular has been policing the use of certificates for a long time now. They have booted entire CAs before, and if you want to set up a new CA you have to convince them that you are legit and have decent security.

      And that's a good thing, because they have a track record of being impartial and good at their job. In this case the certificate is bogus - the rules are quite clear, you can't issue certs for other people's domains without permission.

      • Mozilla in particular has been policing the use of certificates for a long time now. They have booted entire CAs before, and if you want to set up a new CA you have to convince them that you are legit and have decent security.

        And that's a good thing, because they have a track record of being impartial and good at their job. In this case the certificate is bogus - the rules are quite clear, you can't issue certs for other people's domains without permission.

        This is NOT a CA that comes pre-installed with browser or operating system. Kazakhstan tried and failed their hand at making that happen.

        What the government has actually resorted to is simply asking everyone to manually install a trusted root certificate into their own systems. Nobody has ever had to seek "permission" from anyone except themselves in order to install third party certificates into their systems.

        I don't support the notion manual installation of third party certs need ever be cleared by any

        • With the difference that I can install the server, let it sit in a sandbox to make the overlords happy, then go browse however I deem appropriate.

      • by AHuxley ( 892839 )
        So a browser brand knows what's best? Under a CoC?
        A good thing for ads?
        • by AmiMoJo ( 196126 )

          Someone has to do it. Who would you suggest?

          • by AHuxley ( 892839 )
            The Kazakh government tried to keep its people safe.
            Will browsers be blocking external https antivirus efforts?
            Extensions installed that can see the https in use?
            Extensions that block the good tracking and the good ads?
            Just the Kazakh government for now?
            More changes to the browser CoC expected soon?
            So someone can make the internet safe for ads? Safe from most governments?
            • by AmiMoJo ( 196126 )

              The Kazakh government tried to keep its people safe.

              Wow. Do you honestly believe that was their intention.

              Also, how does forcing the installation of a dodgy root certificate make people safer?

              Will browsers be blocking external https antivirus efforts?

              They already do. There is no reason for AV software to intercept HTTPS traffic. There are browser APIs for all the functionality that they require.

              More changes to the browser CoC expected soon?

              What does the CoC covering contributions to the browser code have anything to do with this?

              • by AHuxley ( 892839 )
                Re "forcing the installation of a dodgy root certificate make people safer?"
                By a government for use in its own nation?
                Does a browser have any other CoC suggestions for other nations governments?
                • by AmiMoJo ( 196126 )

                  So if the Chinese said "everyone must install our root cert so that we can spy on them", you would be fine with that and expect browser vendors to cooperate?

                  And if the Chinese government says to Google "you must censor your search engine for us, to help us control the population", that's fine and Google should do what they ask?

                  If the NSA says "this encryption is too good, please backdoor it so we can keep reading all your private correspondence", you would backdoor your app to help them out?

                  That's some auth

            • The Kazakh government tried to keep its people safe.

              Got more material like that? You could be a stand-up in Vegas.

              • by AHuxley ( 892839 )
                Like an ad blocker? AV product?
                If a browser sets the limits to what encryption is approved?
                Who gets blocked? Who is allowed?
                Some approved root certificates are more equal than others?
                Block all govs? Just some bad governments?
                What about who gets to stay in the browser? Who gets approved?
                • If I choose to install an ad blocker or AV product, that's my choice. I can as well choose not to do so.

                  Once you noticed the difference between a person or organization protecting its assets and a government considering it citizens assets and trying to "protect" them, we can continue the discussion.

                  Is it me or is your sig in this context kinda ironic?

                  • by AHuxley ( 892839 )
                    That comes back to a nation legally following its own internal telco policy.
                    Will a browser company have other advice/view for other nations now?
                    A global good browser to use its CoC more often? As in the "Earth Police" as mentioned...
                    What other nations policy direction will get some browser policy CoC support? Correction? Removal?
                    Thats the difference.
                    A list of bad nations to be updated soon? Bad brands? Who is next for addition, removal, an international conduct policy?
                    A nations policy? A brands
                    • by AHuxley ( 892839 )
                      AC the resembling a code of conduct. that protected and gave the free West the PRISM collection and decryption?
                      That support for big gov from freedom protecting big tech?
                      But that was a "good" secret for the FBI, DEA? CIA? GCHQ? And all very legal decryption too AC. A way for big tech to show its patriotism AC?
                      But Kazakhstan laws in the open are bad AC and big tech will block that. To show its users its a good brand
                      When the US did PRISM protective big tech did not say much did they AC.
                      A very selecti
    • Sure it's their software and they can do what they want, but do you really want a software and ad company controlling what you can see? Apparently they think they are bigger than a government.

      I know being on the anti-Google bandwagon is cool and all, but comparing them to what's going on in Kazakhstan is stupid, and for all the shit people heap on Google there's yet to be a documented case of Google "controlling what you see" in their browser.

    • by twocows ( 1216842 ) on Wednesday August 21, 2019 @01:16PM (#59109950)
      The point of certificates is to certify that the website or service you are connecting to is who they claim to be. The Kazakh government's stated intention here was to coerce their citizens into using their government-issued cert so they could perform MITM attacks on all traffic their citizens generated (they said it would be mandatory in the future and I fully believe that was their intent, they probably backed down largely because nobody else wanted to play along). This is inherently incompatible with the previously stated goal of certificates and the moment they declared their intention to be such, they abandoned any legitimate claim to their certificates being trustworthy and they deserved to be blacklisted.

      This isn't a new story, it's been ongoing for a while now (see here [mozilla.org]). The Mozilla and Google maintainers both discussed this and came to the same completely logical solution: that certifying government-issued MITM certs as trusted is inherently incompatible with the goals of certification to begin with and that the only logical action to take here is to certify that these certificates are untrustworthy. I don't question the result, because it is correct, I only question how long it took to come to a conclusion that I find obvious. Then again, policy changes take a while by necessity so that the process isn't abused, so I don't really question it that much.

      The main point of contention I have is how browsers respond to blacklisted certs. In my opinion, there should always be a user override present, but lately Firefox and Chrome have started disabling this option in certain situations. I don't think that makes much sense; if a user knows their traffic is being monitored, there may still be certain situations where making the connection makes sense. For instance, if you're a farmer and you need weather forecasts, you don't care if that request is being monitored by the government, you just care that you're able to get the data. I think the browser's responsibility should end at notifying the user what exactly is going on and what it can mean. If the user chooses to ignore that warning (and I think there are legitimate reasons to do so), then that should be up to them.
      • by Pow ( 107003 )

        The Kazakh government's stated intention here was to coerce their citizens into using their government-issued cert so they could perform MITM attacks on all traffic their citizens generated (they said it would be mandatory in the future and I fully believe that was their intent, they probably backed down largely because nobody else wanted to play along). This is inherently incompatible with the previously stated goal of certificates and the moment they declared their intention to be such, they abandoned any legitimate claim to their certificates being trustworthy and they deserved to be blacklisted.

        How is this different from companies (in USA no less) requiring users on their networks to do the same thing, i.e. installing and trusting a company-issued CA certificate that is used to sign MitM-ed HTTPS sites for purpose of malware inspection, etc?

        Browsers should pay more attention at their trusted CA list, not blacklisting user installed private root CA certificates.

        • When the Kazakh government employs all their people, gives them a computer with the express intention and order to work for them and get money in return AND lets them use a computer of their own that needn't connect through the mitm-infrastructure in their leisure time, you actually have a case.

      • that certifying government-issued MITM certs as trusted is inherently incompatible with the goals of certification to begin with

        The entire goal of certificates is to enforce preexisting trust relationships.

        The end user has made the decision they trust their government. What higher and more relevant authority than the end user can there possibly be in this matter?

        Perhaps browser vendors should do a better job educating their users of the repercussions of installing root certificates. It seems very safe to assume virtually nobody following the instructions have any idea what any of the shit they are doing means or what the repercuss

        • The end user has made the decision they trust their government.

          It's more like the end user has made the decision that having internet is better than not having internet. They weren't given a choice. The government said "either you do this or in a couple months, we'll shut off your internet access." That's not a matter of trust, it's a matter of necessity.

          • It's more like the end user has made the decision that having internet is better than not having internet.

            They weren't given a choice. The government said "either you do this or in a couple months, we'll shut off your internet access." That's not a matter of trust, it's a matter of necessity.

            Why is any of this relevant? It has yet to be communicated what business unelected unaccountable techno kings have in interjecting their judgment into affairs having nothing to do with them overriding wishes of end users when the end user has not asked for any such interference.

            Whatever reasons and pressures going into it the user has in fact made a choice. Good or bad, wrong or right, coerced or free. Whether the user believes it to be their "patriotic duty" to install the cert or there is a gun to thei

    • end of July. Kazakhstan's GDP was $170.54 billion in 2018. So just Apple alone is worth many times what Kazakhstan is in the only global metric that matters, money.

      It's not at all surprising that they, Google, and other multinational companies would consider themselves to be bigger than governments.

      Especially as they are accountable to no one, pay no taxes, and pretty much do whatever the fuck they want with the occasional fine on the wrist where any actual person would be in jail or worse.

  • Apparently though rich saudis are able to buy their right-to-spy from big tech companies.
  • I'm not sure we should be forcing our political views on other countries. If you don't like the way your country is doing things, rebel or get out. I haven't seen anything stating the Kazakh people are fed up with their government creeping around their personal lives.
    • And who do you mean exactly by "we" ? In this case, "we" is private companies, so your statement would be "I'm not sure private companies should be forcing their political views on other countries".

      So let me comment on your statement by a comment of my own:

      Why should private companies be forced to comply with the demands of foreign governements ?

  • by TWX ( 665546 ) on Wednesday August 21, 2019 @11:04AM (#59109374)

    Very Nice!

  • Since it's open source I can't see why the Kazah would not be forced to use one where it the certificate is not blocked.
  • In TLS 1.2 and before, the use of RSA-family ciphers makes it possible for a MiTM to passively decrypt traffic (if they have a valid certificate on the victim OS) after actively intercepting the handshake.

    The deprecation of them in favor of ECDHE in TLS1.3 doesn't make interception impossible, but it does mean that MiTM has to actively proxy the entire connection and all the data in it. That makes it significantly more expensive for an adversary relative to only intercepting the handshake and being able to

    • by RedK ( 112790 )

      > The deprecation of them in favor of ECDHE in TLS1.3 doesn't make interception impossible, but it does mean that MiTM has to actively proxy the entire connection and all the data in it. That makes it significantly more expensive for an adversary relative to only intercepting the handshake and being able to passively decrypt the content (or even store for later passive decryption!).

      It's a common feature now in HTTP proxy appliances. Bluecoat sells their boxes on the very basis they are able to handle th

      • It's a common feature, but you need to buy a lot of proxy applications to MiTM an entire country.

        Security isn't about padlocks, it's about moats and pickets and making life harder and harder for adversaries.

    • by Pow ( 107003 )

      The situation described in TFA was a case of active MitM proxy.

      • There are two variants of "active" --

        (1) Active where you decrypt the handshake in order to steal the stream cipher key, but then you can let the entire stream through and decrypt it offline (and out of band). For example, you can just shunt it all to a DB and later decide which streams are interesting. Or you can scan for some content and decide the stream is "OK" and stop decrypting it.

        (2) Active where your middlebox encrypts and decrypts each and every packet in the stream. If you stop proxying, the conn

    • It's not a panacea, especially since targeted proxying is still possible in these circumstance, but every little bit helps.

      It's irrelevant. Kazakhstan is operating a full proxy.

      • They are operating a full proxy, but their middlebox does not have to decrypt/encrypt every packet, because they are inserting a non-ECDHE cipher into the handshake.

        This makes it a lot cheaper.

  • My understanding from reading the article linked in TFA is that it was not even a trusted certificate.
    https://www.zdnet.com/article/... [zdnet.com]

    Local internet service providers (ISPs) have been instructed by the local government to force their respective users into installing a government-issued certificate on all devices, and in every browser.

    Kazakh users trying to access the internet since yesterday have been redirected to web pages that contained instructions on how to install the government's root certificate in their respective browsers, may it be a desktop or mobile device.

    As a user you really have no options here. Your ISP is already MitM-ing your traffic, they just offer you a convenience of not having browser certificate warnings/errors.

    Tomorrow their government can issue a new self-signed root CA and update the instructions for citizens to install and trust that. I don't see how browsers blacklisting untrusted certificates solves the prob

    • Simple. Blacklisting certificates is easier than issuing them. It's a war of expenses, if it's more expensive for your adversary than for you, you come out ahead.

  • Won't anyone think of the incredible disservice this does to oligarchs and their dictatorial governments, to the thousands of secret police and other jackbooted thugs who depend on these tools to crack down on dissidents, squash democracy, and crush the free exchange and expression of unpatriotic ideals? C'mon ;(

  • by Srin Tuar ( 147269 ) <zeroday26@yahoo.com> on Wednesday August 21, 2019 @03:38PM (#59110444)

    Now do China.

Life is a game. Money is how we keep score. -- Ted Turner

Working...