Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Government Security The Internet

Kazakhstan's Government Begins Intercepting HTTPS Traffic In Its Capital (zdnet.com) 126

ZDNet reports: Under the guise of a "cybersecurity exercise," the Kazakhstan government is forcing citizens in its capital of Nur-Sultan (formerly Astana) to install a digital certificate on their devices if they want to access foreign internet services. Once installed, the certificate would allow the government to intercept all HTTPS traffic made from users' devices via a technique called MitM (Man-in-the-Middle).

Starting today, December 6, 2020, Kazakh internet service providers (ISPs) such as Beeline, Tele2, and Kcell are redirecting Nur-Sultan-based users to web pages showing instructions on how to install the government's certificate. Earlier this morning, Nur-Sultan residents also received SMS messages informing them of the new rules.

Kazakhstan users have told ZDNet today that they are not able to access sites like Google, Twitter, YouTube, Facebook, Instagram, and Netflix without installing the government's root certificate.

This is the Kazakh government's third attempt at forcing citizens to install root certificates on their devices after a first attempt in December 2015 and a second attempt in July 2019. Both previous attempts failed after browser makers blacklisted the government's certificates.

This discussion has been archived. No new comments can be posted.

Kazakhstan's Government Begins Intercepting HTTPS Traffic In Its Capital

Comments Filter:
  • by sound+vision ( 884283 ) on Monday December 07, 2020 @12:35AM (#60801876) Journal

    I'm starting with the men in the middle (oooh)
    I'm asking them to change their ways
    And no message could have been any clearer...

    • The obvious answer here is to create a second layer VPN behind an initial layer VPN. The tech will surely rip open the first layer, but just get the encrypted packets of the second. That is, if they are even smart enough to block traditional VPNs in the first place. You could just stack two VPN layers on each other. Its what I would do.
      • by Joce640k ( 829181 ) on Monday December 07, 2020 @03:18AM (#60802056) Homepage

        Thus instantly marking you as a subversive...

        • Send some dummy traffic along the first VPN service that looks like HTTP requests. Any end-to-end encrypted communication (WhatsApp, iMessage, etc...) will look identical to your VPN traffic.
        • by AmiMoJo ( 196126 )

          A more robust option is to use cloud servers as proxies. Tor does this to get around blocking in places like China. They can't very well block an HTTPS connection to Microsoft's Azure cloud because it would break loads of sites in China. Similarly trying to target people using them would mark half the population as people of interest.

      • by Luckyo ( 1726890 ) on Monday December 07, 2020 @03:49AM (#60802088)

        On the bright side, this is Kazakhstan and not Uzbekistan. So they won't boil the idiot who behaves like you suggest alive for demonstrating subversive tendencies against government policy. They'll just beat you and your family. And then tell your family that it's their duty to prevent you from being subversive, for your own good.

        Reminder: these are the people who have physical access to you at any time they wish, and rules of the land are fully on their side.

        I want call it "law" because there's no real rule of law in formerly Soviet -stans, just universally understood societal rules where dictators have total control. In some cases, making Borat's comedy look like a really tame, watered down version of actual reality. Be it Uzbeks boiling subversives alive as punishment, Turkmen worshipping their Arkadag in a way that makes Kim look like a widely domestically criticised leader or Kazakhs renaming their capital to the name of their post-Soviet ruler after his death.

        • or Kazakhs renaming their capital to the name of their post-Soviet ruler after his death.

          It's a good thing America would never name its capital city after America's first president. Oh, wait... we did it while he was still alive and still president.

      • If the government blocks https at the ISP level your data won't reach the first VPN. If they block it at the border this would work because the second VPN (what they see at the border) would use a government certificate to carry encrypted data.
  • by gurps_npc ( 621217 ) on Monday December 07, 2020 @12:38AM (#60801878) Homepage

    Yes, browser blacklisted them twice before, so lets do it a third time.

    Surely the people that love privacy and hate our attempt to destroy privacy will give in and not blacklist us again!

    This make me think of the Narcotics Anonymous (1981) Definition of Insanity: "The definition of insanity is repeating the same mistakes over and over again and expecting different results."

    Of course, this is also the real definition of perseverance. But I hope it proves insane, rather than an example of perseverance.

    • Re: (Score:1, Insightful)

      by Anonymous Coward
      So let's get this straight... you think it's unacceptable for governments to MiTM HTTPS traffic of their citizens yet you allow companies around the world to do the same thing to their employees? How is one different than the other?
      • by gravewax ( 4772409 ) on Monday December 07, 2020 @12:45AM (#60801886)
        A company gets to set policies that you agree to in order to utilise company equipment and connections, you are using their equipment on their time therefore they have rights to determine what you can and cannot do. The government doing it is an entirely different thing as you don't get the choice to opt out of what a government imposes on you (apart from immigrating).
        • A company gets to set policies that you agree to in order to utilise company equipment and connections, you are using their equipment on their time therefore they have rights to determine what you can and cannot do.

          Although I reluctantly agree with you, my issue with companies doing this is that they don't tell their employees what they're doing. Unless you have the technical knowledge to understand a certificate chain, you won't know that corporate IT is watching you check your bank account.

          • Unless you have the technical knowledge to understand a certificate chain, you won't know that corporate IT is watching you check your bank account.

            Of course I do. If I connect my personal tablet to the company's guest Wi-Fi to check my bank account and get an error message about untrusted certificates, I consider updating my resume. This is far less practical when a government does so, as borders are more likely to be closed.

        • Let me see if I understand you correctly,
          • A government sets policies you agreed to in order utilize computer equipment and Internet connections. You have no choice because you're using equipment within the geographic scope of control.
          • The company sets policies you agree to an order utilize computer commit and Internet connections. You have no choice because you're using equipment within their geographic scope of control.
          • If the government is a dictatorship, if you violate the rules you're taken out and
          • In a corporation, if the rules unfair, you can petition, protest. You can't run for office, you have no ability to change policy, you only run the risk of getting fired and/or blacklisted.

            In a corporation, if the rules are unfair, you have the right to update your resume, line up some contract work, and give two weeks' notice. The choice to find another job within a country is typically far more practical than the choice to find another country. Are there documented cases of being "blacklisted in the job market" over politely disagreeing with the rules?

            • Just because you are in a high demand field which gives you options, does not mean anyone can do the same. if you are in job that pays under 40-50k/year, chances are 1) you are just scraping by and can't afford to move, 2) can't move to competitors because of non-compete agreements that you were required to sign as a condition of employment, 3) have no time/resources for school (not in control of work schedule or dependent on pubic transport, can't afford equipment for online courses or internet connection,
          • by DarkOx ( 621550 )

            In a corporation, if the rules unfair, you can petition, protest. You can't run for office, you have no ability to change policy, you only run the risk of getting fired and/or blacklisted.

            I have never worked anywhere where I was not free to ask the reasoning behind, an exception for, or update to a policy, where said request was sent politely and privately to the appropriate party. I have had such requests ignored, and denied of course but nobody has ever 'retaliated' over it.

      • by smARMie ( 743226 )
        In a company you give your consent for that, or else you can choose not to submit (and quit). And you anyway don't own the device, it's the company's device.
      • ... And so it begins. ...
      • Anonymous Coward is projecting stupidity from his mind into my post.

        1) I never said ANYTHING about what is acceptable or unacceptable for a government to do. My last statement implied that I would rather they not do it, but I did not say that them doing it was wrong in any way.

        2) My post was 90% about how this same relatively small, weak government had tried to do this before and how large international corporations had foiled them before, and that this time was not likely to be succesfull.

      • So let's get this straight... you think it's unacceptable for governments to MiTM HTTPS traffic of their citizens yet you allow companies around the world to do the same thing to their employees? How is one different than the other?

        Where I live (in the EU) that would be highly illegal for companies too.

        • by locofungus ( 179280 ) on Monday December 07, 2020 @03:58AM (#60802104)

          Where I live (in the EU) that would be highly illegal for companies too.

          I live and work in the EU (until the end of the month) and yet my employer does MitM interception.

          • by realxmp ( 518717 ) on Monday December 07, 2020 @05:04AM (#60802152)

            Where I live (in the EU) that would be highly illegal for companies too.

            I live and work in the EU (until the end of the month) and yet my employer does MitM interception.

            Just because an employer does it, does not mean it is legal. Many managers have this wishful thinking idea that the law is always what they imagine it to be and not what it is. That is especially the case because if you intercept communications and inevitably end up holding sensitive and personal data (employee's sexual, gender, religious or similar preferences) you become subject to the GDPR and the very highest levels of fines.

            In the UK at least it is limited by The Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018 [legislation.gov.uk], and limits you to compliance purposes (for call centres) and anti-hacking. If you are using it to spy on office gossip or your boss's email rather than legitimate business purposes you are subject to the same criminal sanctions as someone wiretapping a phone line.

            • by realxmp ( 518717 )
              Oh and the reason why it is limited this way? You are not just intercepting your employee's communications, you are also intercepting mine when I communicate with your employees and I did not sign my life away to you.
              • That was addressed in . [europa.eu]

                Companies in the EU can absolutely run MitM on encrypted network traffic, as well as monitor detailed use. There are some hoops to jump through, whitelists must be maintained, and every employee must be notified, but it can be done within the scope of GDPR.

                Various "legitimate interest" include virus and malware scanning, reducing bandwidth needs through caching, or getting through corporate security proxy devices that reduce the risk of corporate data being leaked.

                In order to rely on [legitimate interest] as the legal ground for processing it is essential that specific mitigating measures are present to ensure a proper balance between the legitimate interest of the employer and the fundamental rights and freedoms of the employees. Such measures, depending on the form of monitoring, should include limitations on monitoring so as to guarantee that the employee’s privacy is not violated.

                It can also be done

            • Unless, of course, you receive a Patriot Act order which may never have been seen by a judge and which is illegal to reval that you ever received.

              https://www.aclu.org/press-rel... [aclu.org]

            • by Mascot ( 120795 )

              That is especially the case because if you intercept communications and inevitably end up holding sensitive and personal data (employee's sexual, gender, religious or similar preferences) you become subject to the GDPR and the very highest levels of fines.

              Just to clarify, your examples are of data the GDPR defines as _especially_ sensitive and triggering extended requirements for collection and protection. Any personal information whatsoever would make it subject to the GDPR, even if entirely innocuous.

              As an aside, I don't know about your colleagues, but in my experience things like sexual and religious preference is not something I find to inevitably find its way into workplace correspondence. :p

              • CVs are full of personal data covered by the GDPR.

              • by realxmp ( 518717 )

                As an aside, I don't know about your colleagues, but in my experience things like sexual and religious preference is not something I find to inevitably find its way into workplace correspondence. :p

                Agreed, though it is very easy to impute from web browsing history with an intercepting proxy. Let's say you book a health appointment or access your personal email, there is a good chance you'll give away sensitive data.

            • Limited to compliance purposes? Compliance translates directly to following the law.

              A Kazakhstan ISP doing SSL interception when the law requires it is doing it for compliance purposes... just saying.

              The laws are wildly different in scope, yes, but... limited to compliance purposes, that made me laugh, that can't be the argument.

          • by AmiMoJo ( 196126 )

            Why don't you submit a complaint?

          • I live and work in the EU (until the end of the month) and yet my employer does MitM interception.

            Do they though? I live here too and all traffic is pumped through their network when I'm in the office (so maybe next year) or VPN. That means they would be able to read plaintext communication, just like any ISP, but that doesn't mean that they're decrypting my slashdot posts over HTTPS.

          • That's why there is a movement toward the "right to disconnect".
          • Hopefully only where absolutely necessary and not on your desktop work computer.

            There are allowances for exceptions, but they are pretty strict. Of course I live in Germany and privacy laws are a bit harder here than in the rest of the EU.

          • I have yet to find a EU country where this is legal, so in most EU countries that is illegal at least.

            I have not checked all, but as we have customers in a lot of them and deal with communications, so this comes up now and then so I have had to check and have not found one where it is legal.

            That is not to say that there is not one or more where it is legal..

            • In the UK it's allowed provided that consent is obtained - usually via the employee handbook that everybody gets when they start work.

              It's also allowed in Romania as this (somewhat) famous case showed:

              https://parissmith.co.uk/blog/... [parissmith.co.uk]

              From the "Speed read" bit partway down that page:
              1. Monitoring of employeesâ(TM) IT use and systems at work can be lawful. This is clear. There is no overarching right to privacy which allows employees to do what they like at work when using an employerâ(TM)s IT syst

        • by SJ ( 13711 )

          Very simple. The owner of the device wants to protect their data. Hint, the owner of the device is the company, not the employee.

          Stick whatever tracking tools you want on the laptop you give me. I'll use it for work alone.

          Try and stick those tools on my own devices, and I'll tell you somewhere else to stick them.

        • by N1AK ( 864906 ) on Monday December 07, 2020 @05:24AM (#60802176) Homepage
          It's very common practice for companies to set devices to immediately connect to a work VPN and to put all traffic through that VPN; this allows the company to capture and inspect all traffic, or to at least see the destinations of communications. The EU has plenty of employee and consumer protections, but unless you're going to back this one up with some evidence then I'd suggest everyone take it with a serious pinch of salt.

          A lot of people here seem to be misunderstanding how regulation works in practice, for example someone talking about GDPR. Firstly GDPR isn't relevant to observing traffic, it would only be relevant to data you retain. Secondly, the policies your employees using the equipment will have to sign cover should cover the use and retention of data. Thirdly, the data existing on a system isn't suffiient to make it a GDPR breach; to give an extreme example because it isn't the simplest of areas: If I use Gmail in the browser on a work machine then it will cache content, that content could very well include data that would be restricted but there are no circumstances under which the company would get in trouble for that data being on that machine.
          • by Mascot ( 120795 )

            If I use Gmail in the browser on a work machine then it will cache content, that content could very well include data that would be restricted but there are no circumstances under which the company would get in trouble for that data being on that machine.

            If they sell that machine without wiping it first, then I believe they would be. Not because the company actively collected the data, but because they should reasonably be expected to understand that a PC used by an employee will also likely be utilized for some personal use and thus might contain some kind of personal data. The same applies if they were to dig into the cache after the employee has turned in their computer. Doing so out of curiosity = instant GDPR violation. You did not get consent, and you

            • by PPH ( 736903 )

              because they should reasonably be expected to understand that a PC used by an employee will also likely be utilized for some personal use

              Unless they post a company policy to the contrary. Company computer: Do not use for personal information. Not permitted under the GDPR? Then be prepared to work for a company that blocks all access to outside services not required for work. I used to work for an outfit that had a rack of machines with a Google logo on them in their server center (I had permission to work in the server room for other system support reasons). I asked an IT guy what those were and he said that anyone who did a Google search we

              • by Mascot ( 120795 )

                I don't really know if the GDPR has a stance related to using company equipment for personal use, but our (Norway) laws do. E.g. for a company phone it is assumed you will use it for some personal calls and you are taxed a set amount for that. The same assumption is made of computers, which is one reason why an employee's emails cannot be accessed without obtaining consent unless you have a valid reason to violate their privacy.

            • by N1AK ( 864906 )

              The same would be true of observing data. As I see it, that counts as processing data and you must assume that the data you process might contain personal information. Which means that you are responsible for ensuring you are not storing it

              You're making my point. It isn't processing/observation of data that matters it's retention/storing. Most companies are going to have endpoint protection, firewalling, spamfiltering etc that process data which will include information covered by data protection regulation

              • by Mascot ( 120795 )

                This seems to be veering into semantics. You cannot process what you do not have access to, and you cannot access what is not stored in some fashion, even if temporarily. What exactly is your claim? That unmanaged switches are not a GDPR issue in and of themselves? If so, sure, no argument from me. What other kinds of processing/observing personal data are you thinking of that does not ever create a log entry or cause any kind of traceable action? "Data processor" is a term within the GDPR, and it is not i

          • It is not only GDPR, and you are right in that GDPR is limited in this regard as it is not meant for this.

            But majority of EU countries at least seem to have laws about datatraffic security.

            They are bit different in different countries, but in general communication that the sender wants to be private should be kept so unless some overriding thing like another specific law(like anti-terror laws) says otherwise.

            In general the companies have no specific rights to your private communications in such cases, excep

            • by N1AK ( 864906 )

              as for the part where companies will not get in trouble, it s quite wrong, many companies have been fined for accessing private communications.

              Care to give an example of where a company has gotten into trouble due to browser caching on user devices, the only type of activity I said there wouldn't be trouble for? There are plenty of other things companies could be fined for, and they would all be equally irrelevant to that point.

          • by PPH ( 736903 )

            Firstly GDPR isn't relevant to observing traffic, it would only be relevant to data you retain.

            I don't understand the distinction. In many cases 'traffic' becomes data that I retain (and vice versa). If it's not OK to snoop on my data stored on some system (mine, the cloud or some organization I do business with) then why would it be OK to sniff that same data en route?

            • by N1AK ( 864906 )
              Read the regulations, if you find something that you think would mean you'd get in trouble as a business for, as an example, your firewall doing deep packet inspection of traffic which included personal information then I'd be happy to discuss it with you; but there's no point talking about what's ok under regulations if all parties involved aren't clear on the regulations.
      • Simple. I can use my personal computer on my personal internet to do my personal stuff and my employer won't see a single bit.

        When the government eavesdrops at a national level, nothing I do is outside of their sight.

    • by kot-begemot-uk ( 6104030 ) on Monday December 07, 2020 @02:23AM (#60801990) Homepage
      It's a bit more complex.

      1. The usual suspects (the lot of them listed in the article) regularly do not comply with legal intercept requirements outside USA. While installing a government certificate is an extremely blunt tool, it is a natural result of Google being a law of its own. I'd frankly have Google comply with laws where they operate instead. At the same time, Google and co stream information real time to Langley and Gloucester (do not do as I do, do as I say). The most recent "investigations" by the well known "approved prepared leak" team "The Mi6Sider and the CIACat" (names correctly spelled) prove that 100% - they contain location data which could have been obtained only this way.

      2. There are two mechanisms for blacklisting. A) updates (blacklisting in code), B) marking the cert as invalid in OCSP. Kazakhstan did not do its homework the first time and did not define a legal stick (or should it be legal baseball bat) for A). That, I believe is in place now. B can be blocked. Will this suffice - no idea.

      In any case - it's their country, their laws and their decision. Is it right? Of course not. Do they have a choice? See 1.

    • by dddux ( 3656447 )
      "The definition of insanity is repeating the same mistakes over and over again and expecting different results." That's it! I knew we were living in an insane society.
  • Nothing new (Score:5, Insightful)

    by chrism238 ( 657741 ) on Monday December 07, 2020 @12:40AM (#60801882)
    Cloudfare offers this as a helpful service to my university.
    • by realxmp ( 518717 ) on Monday December 07, 2020 @06:11AM (#60802210)
      Interesting, are you guys banned from Eduroam then, because I know requiring a certificate for an intercepting proxy (at least for visiting users) is on Eduroam's forbidden practices list? Frankly the idea of having an intercepting proxy that would inevitably snag student's sensitive and personal data scares the hell out of me. They're one server compromise away from giving blackmail material to the dark web. If they were in Europe, I would start asking GDPR compliance questions.
      • They're one server compromise away from giving blackmail material to the dark web.

        Erm.. aren't we all?

        • by realxmp ( 518717 )

          They're one server compromise away from giving blackmail material to the dark web.

          Erm.. aren't we all?

          It helps if you refrain from gathering all the material they need into once nice database and link it back to user identities. At least make them have to break into multiple systems.

    • Cloudfare offers this as a helpful service to my university.

      There's a difference to MITM corporate owned equipment (standard practice), a privately run network (somewhat standard practice), and citizens of a nation by the government (definitely not standard practice).

      I'm sure Cloudflare (note there's an L in the name) would show give the Kazak government the choice of seeing 2 of 10 possible fingers.

  • by Joe_Dragon ( 2206452 ) on Monday December 07, 2020 @12:50AM (#60801892)

    and this will mess up IOT hardware that will get tripped up by this.

    Will they also block VPN's?

    • Since most VPN connections require a SSL connection on port 443 for the tunnel setup, the MITM presence would give them the ability to view all the VPN traffic too. It's possible to set up VPN with a pre-shared key, but it's not very common.

      ---
    • You make it sound like it is actually a good thing.
  • They got tired of outsiders calling them a "buy a vowel" country.

    • Actually, they got tired of all the bad publicity Borat brought them, so they just decided to run with it [avclub.com].

      • One of their politicians has a paper-mache Borat with devil horns greeting people who come into his office. "Democracy doesn't mean that everything is allowed... He crossed the line", he says of the movie. "He is Satan... I'll shoot him. I'll destroy him." He then proceeds to pull a rifle out from behind his office cabinet and start swinging it around. Later, he says "I want people to see the real Kazakhstan. Borat showed you dirty gypsies."

        For some strange reason... these kind of interviews weren't doing m

        • by pz ( 113803 )

          "Democracy doesn't mean that everything is allowed... He crossed the line", he says of the movie.

          But, if you actually listen, he was talking about the limits of behavior that every society has, not ones that the government imposes. Big difference.

  • by fustakrakich ( 1673220 ) on Monday December 07, 2020 @12:59AM (#60801902) Journal

    I knew HTTPS was good for something

  • I think we all know what they're really after.
    Nudes.
  • And the fact that the browser "vendors" ultimately tell you what to trust and what not, makes this even more of a obvious complete freaking joke.

    The only case where this works, is if th CA is yours, and there is not a single other root certificate installed.

    A browser should never ever say "This is Google.com.", but always ... oh fuck, I just clicked the encryption info and it says "Google Trust Services".
    I quit. No need to add anything. It's already plain to see for everyone, how insane this is.

  • by heretic108 ( 454817 ) on Monday December 07, 2020 @02:35AM (#60802006)
    So has Sascha Baron Cohen approved the script yet?
  • "Begins" ? (Score:3, Interesting)

    by Anonymous Coward on Monday December 07, 2020 @02:52AM (#60802028)

    One of the criticqal features of cloud hosting is the possession of the SSL keys by the cloud provider to serve any HTTPS enabled proxies. This means the SSL keys are available, unencrypted, to the cloud provider, especially for those cloud services hosted in Shanghai and whose internal SSL based traffic has a "mysterious" delay of roughly 100 msec typical of an intermediate SSL man-in-the-middle attack, even for entirely internal traffic such as S3 traffic to Amazon. It's very difficult to beli4ve that Amazon is not cooperating with the Chinese gonement to enable man-in-the-middle monitoring. It's legal under Chinese law and verious treaties, it's simply reprehensible and unethicald to provide the "service" without notifying clients.

  • by locofungus ( 179280 ) on Monday December 07, 2020 @03:04AM (#60802042)

    I wish the browser manufacturers would acknowledge that there are genuine cases where MitM interception is appropriate and then cases where it isn't.

    I use MitM at home to block traffic from my own devices connecting to places that I don't want them connecting to. But I'm aware that it's happening, I understand that it is happening and I consent to it happening.

    DoH plus ESNI potentially risks me losing all control of my own devices, where they're connecting to, and what they're doing. Fortunately, there are too many big employers who need this MitM interception facility so currently it's all avoidable and hopefully will be for a long time!

    • by ledow ( 319597 )

      They do.

      Almost every school and workplace deploys MITM SSL. You just set a group policy or two, and hey-presto. DoH is similarly under your control as an IT admin, and ESNI shouldn't affect anything if you're MITMing.

      The thing is - that's on computers that you CONTROL, and have admin rights to. Doing it on machines you do not control should, rightly, flag it up as an extremely serious problem. Which is what browsers do.

      And when you're a government trying to do that by diktat to millions of people throug

      • The thing is - that's on computers that you CONTROL, and have admin rights to.

        The problem in grandparent's post arises with computers that you own but don't control. Common examples are home entertainment devices and "Internet of Things" devices.

        DO NOT allow things on the Internet that you do not trust.

        Good luck making a trustworthy replacement for every device in the average home or vehicle. One issue with wider adoption of devices that respect the user's freedom is that the entertainment industry sees such devices as a threat to their business model. How can advocates of user freedom get the public to care more about user freedom than abo

    • This really just shifts the burden from NIDS to HIDS/endpoint inspection. TLS 1.3 will all be push companies the way as well. Sure I can't snoop the data in transit, but I can sure as hell snoop on my end of the connection.

      • Does that help when the connection might be being established by a piece of javascript?

        Short of having a purpose built client - in which case you might as well customize it to go through a MITM proxy anyway - you still cannot easily tell what information it is sending where.

        ISTM that the most likely eventual endpoint is a browser that doesn't do TLS1.3 and a proxy that does. The browser might actually end up HTTP only.

        • If software on the host can not inspect and see every network connection that hosts makes, the OS itself must be compromised.

          • You can tell what IP you are connecting to but not which host.

            • I think we are using the term "host" differently.

              Host = the machine running the inspection software, aka the client you are sitting at.
              Your host = the web server you are connecting to.

              I'm talking about running inspection software directly on the client. Why would my computer be unable to see or inspect the actions it is taking?

              • How is your "protection" software, running on your computer, going to be able to tell what the javascript in a webpage is doing and where it's connecting and what data it's sending out or downloading?

                You cannot even block individual websites reliably based on IP address due to (AWS in particular) many, many hosts running on shared IPs or IPs that regularly change.

                Quite a lot of my home filtering is just SNI inspection and the encryption is end to end.

                • The same way this works https://support.cloudshark.io/... [cloudshark.io]

                  I'm sure CrowdStrike or CarbonBlack can do this today.

                  • I only looked at the front page but this looks like it's a front end to wireshark.

                    Sure you can see what IP a machine is connecting to. But with ESNI and HTTPS all you can tell is that you're connecting to AWS, you have no idea which particular host you might be connecting to.

                    With ODoH you also cannot tell what DNS it is requesting. So you don't even have the option of (trying to) correlate DNS requests with IP connections.

                    I don't see what advantage running cloudshark on the host has over running it on the e

  • by DrXym ( 126579 ) on Monday December 07, 2020 @07:20AM (#60802304)
    I've suffered this crap in companies before. They installed Fortinet with a setting for doing man in the middle attacks and suddenly none of the dev tools work because they all have their own trust stores and reject the phony cert when they go to fetch packages or install updates or whatever.

    In a broader setting this bullshit will cripple Kazakh economy, have a chilling effect on outside investment, interfere with company operations, and for normal people will break their devices in random ways. Updates won't work, games won't play, streaming services will break and so on. And consequently ordinary citizens will make criminals of themselves simply to circumvent the heavy handed paranoid bullshit that shouldn't have been implemented at all.

  • I live here. This laughable attempt is being jokingly referred to as a "kazakh-in-the-middle" attack. The authorities even had the nerve to issue a public apology for "internet access problems".
  • We'll just start transmitting in lower case!

    Oh, wait...

Sigmund Freud is alleged to have said that in the last analysis the entire field of psychology may reduce to biological electrochemistry.

Working...