Kazakhstan's Government Begins Intercepting HTTPS Traffic In Its Capital (zdnet.com) 126
ZDNet reports:
Under the guise of a "cybersecurity exercise," the Kazakhstan government is forcing citizens in its capital of Nur-Sultan (formerly Astana) to install a digital certificate on their devices if they want to access foreign internet services. Once installed, the certificate would allow the government to intercept all HTTPS traffic made from users' devices via a technique called MitM (Man-in-the-Middle).
Starting today, December 6, 2020, Kazakh internet service providers (ISPs) such as Beeline, Tele2, and Kcell are redirecting Nur-Sultan-based users to web pages showing instructions on how to install the government's certificate. Earlier this morning, Nur-Sultan residents also received SMS messages informing them of the new rules.
Kazakhstan users have told ZDNet today that they are not able to access sites like Google, Twitter, YouTube, Facebook, Instagram, and Netflix without installing the government's root certificate.
This is the Kazakh government's third attempt at forcing citizens to install root certificates on their devices after a first attempt in December 2015 and a second attempt in July 2019. Both previous attempts failed after browser makers blacklisted the government's certificates.
Starting today, December 6, 2020, Kazakh internet service providers (ISPs) such as Beeline, Tele2, and Kcell are redirecting Nur-Sultan-based users to web pages showing instructions on how to install the government's certificate. Earlier this morning, Nur-Sultan residents also received SMS messages informing them of the new rules.
Kazakhstan users have told ZDNet today that they are not able to access sites like Google, Twitter, YouTube, Facebook, Instagram, and Netflix without installing the government's root certificate.
This is the Kazakh government's third attempt at forcing citizens to install root certificates on their devices after a first attempt in December 2015 and a second attempt in July 2019. Both previous attempts failed after browser makers blacklisted the government's certificates.
Men in the Middle (Score:4)
I'm starting with the men in the middle (oooh)
I'm asking them to change their ways
And no message could have been any clearer...
Re: (Score:3)
Re:Men in the Middle (Score:5, Funny)
Thus instantly marking you as a subversive...
Re: (Score:2)
Re: (Score:3)
A more robust option is to use cloud servers as proxies. Tor does this to get around blocking in places like China. They can't very well block an HTTPS connection to Microsoft's Azure cloud because it would break loads of sites in China. Similarly trying to target people using them would mark half the population as people of interest.
Re:Men in the Middle (Score:4, Insightful)
On the bright side, this is Kazakhstan and not Uzbekistan. So they won't boil the idiot who behaves like you suggest alive for demonstrating subversive tendencies against government policy. They'll just beat you and your family. And then tell your family that it's their duty to prevent you from being subversive, for your own good.
Reminder: these are the people who have physical access to you at any time they wish, and rules of the land are fully on their side.
I want call it "law" because there's no real rule of law in formerly Soviet -stans, just universally understood societal rules where dictators have total control. In some cases, making Borat's comedy look like a really tame, watered down version of actual reality. Be it Uzbeks boiling subversives alive as punishment, Turkmen worshipping their Arkadag in a way that makes Kim look like a widely domestically criticised leader or Kazakhs renaming their capital to the name of their post-Soviet ruler after his death.
Re: (Score:2)
It's a good thing America would never name its capital city after America's first president. Oh, wait... we did it while he was still alive and still president.
Re: (Score:2)
Before you embarrass yourself further, do google Nursultan Nazarbayev.
Re: (Score:2)
No. Borat was a failure, because for all his efforts to do an over the top comedy, he ended up doing a really watered down and tame version of Arkadag.
I suspect at least in part because it would have gone beyond the parody horizon for most Westerners just to get what Arkadag is and what he does. So he had to water it down. A lot.
Re: (Score:2)
Lets try the same thing that failed before! (Score:4, Insightful)
Yes, browser blacklisted them twice before, so lets do it a third time.
Surely the people that love privacy and hate our attempt to destroy privacy will give in and not blacklist us again!
This make me think of the Narcotics Anonymous (1981) Definition of Insanity: "The definition of insanity is repeating the same mistakes over and over again and expecting different results."
Of course, this is also the real definition of perseverance. But I hope it proves insane, rather than an example of perseverance.
Re: (Score:1, Insightful)
Re:Lets try the same thing that failed before! (Score:5, Insightful)
Re: (Score:2)
A company gets to set policies that you agree to in order to utilise company equipment and connections, you are using their equipment on their time therefore they have rights to determine what you can and cannot do.
Although I reluctantly agree with you, my issue with companies doing this is that they don't tell their employees what they're doing. Unless you have the technical knowledge to understand a certificate chain, you won't know that corporate IT is watching you check your bank account.
Cert error on personal tablet? Find another job (Score:2)
Unless you have the technical knowledge to understand a certificate chain, you won't know that corporate IT is watching you check your bank account.
Of course I do. If I connect my personal tablet to the company's guest Wi-Fi to check my bank account and get an error message about untrusted certificates, I consider updating my resume. This is far less practical when a government does so, as borders are more likely to be closed.
Re: (Score:2)
Employees have the right to two weeks' notice (Score:2)
In a corporation, if the rules unfair, you can petition, protest. You can't run for office, you have no ability to change policy, you only run the risk of getting fired and/or blacklisted.
In a corporation, if the rules are unfair, you have the right to update your resume, line up some contract work, and give two weeks' notice. The choice to find another job within a country is typically far more practical than the choice to find another country. Are there documented cases of being "blacklisted in the job market" over politely disagreeing with the rules?
Re: (Score:2)
Re: (Score:2)
In a corporation, if the rules unfair, you can petition, protest. You can't run for office, you have no ability to change policy, you only run the risk of getting fired and/or blacklisted.
I have never worked anywhere where I was not free to ask the reasoning behind, an exception for, or update to a policy, where said request was sent politely and privately to the appropriate party. I have had such requests ignored, and denied of course but nobody has ever 'retaliated' over it.
Re: Lets try the same thing that failed before! (Score:4, Informative)
Before you go ranting about how risk of starvation is coercion, it isn't. Coersion is forcing a party to engage in a transaction they otherwise wouldn't under the circumstances. Your consumption of food is a one-party event, there is no transaction. Buying food is, but you can always make (grow) your own, or find alternate suppliers, or appeal to charity of others. You can always do something different, including competing with the incumbent employers. They did that when they started.
Re: (Score:3)
Also, this doesn't prove your still invalid fallacy.
Re: (Score:2)
A good deal of sex trafficking is slavery: where the prostitutes are beaten or killed if they leave the pimp's service. It's especially true for the child sex trade.
For slaves, the employer is indeed entitled to their labor, even if it is illegal. The idea that "you can always grow your own food" is simply not true. Without arable land, water, and time, growing food is impossible. Look into the history of the "company towns" in the USA, especially where employees were only paid in company script and no cash
Re: (Score:2)
Re: Lets try the same thing that failed before! (Score:5, Insightful)
Except that you completely missed the point. The choice here is not "must keep this job or starve", but simply "must not use company computers and network for personal use, if I want the privacy of those personal https connections preserved". Nobody is going to starve because they cannot check their Facebook page, or email a friend using company computers. Contrary to what some of today's "snowflake generation" believes, isn't there some universal human right in the world for employers to provide their employees hardware and internet access for their personal browsing. Any browsing you do as part of the job, you have no expectation of privacy from your employer, any personal browsing you should do "on your own dime", i.e. using your personal hardware, using personal internet access, and not on company paid time. Any employers which do allow personal use of their equipment and/or services are doing it out of their own free will, think of it as a job benefit/perk, not some right you earned by being born.
Re: (Score:3)
Because "they could always get another job". But they can't. Not in reality
Perhaps. But employees leave at the end of the workday and can use their own Internet at home.
where starvation and similar choices are not /actual/ options.
Can you cite an example, anywhere in the world, ever, where someone starved to death because they refused to work for an employer who restricted what they could do on the Internet during working hours? As a hypothetical, that seems completely absurd.
Re: (Score:2)
You do not work 24/7, and most people have mobile devices these days. You have plenty of opportunity to access the internet without being snooped on by your employer either doing so outside of working hours, or using your own mobile equipment.
Quite why anyone would want to use their work provided computer for anything other than work makes no sense to me.
Re: (Score:2)
You do not work 24/7, and most people have mobile devices these days.
Companies offering guest Wi-Fi for use with personal mobile devices apply the same lack of right of privacy to the guest Wi-Fi that they apply to the private corporate network.
Re: (Score:3)
Gosh, you might have to use your own data plan for your at-work porn browsing. That gets so expensive you'll have to turn the video quality down to standard definition. You should sue!
Re: (Score:2)
Then don't use it. Modern mobile plans are widely available and not extortionately expensive.
If they don't monitor the connection, they are potentially exposing themselves to liability. If someone does something illegal on the guest wifi, they have to be able to trace if back to an individual user. If they're using NAT, which is almost mandatory for IPv4 these days then they *NEED* to log every single connection you make in order to maintain a mapping between the internal address of your device and the exte
Re: (Score:1)
Re: Lets try the same thing that failed before! (Score:2, Insightful)
You just don't.fucking get what a government is, especially a democratic one, do you?
Or what a corporation is. (Hin: Not a godking.)
The only reason anything can be declared "yours", is because there is a government with the bigget club, in the form of police and military, to enforce that rule. There is no such thing as "ownership" in reality otherwise. You can screech "mine!" all you want, if somebody comes in with a bigger club, to take it, it's his.
This idiotic belief in absolute "ownership", like it mean
Re: Lets try the same thing that failed before! (Score:2)
Now my employer has asked me to work from home, they are using *my* network and *my* rules apply. If they aren't happy with that they can always provide suitable company owned resources.
Re: (Score:2)
If they aren't happy with that they can always provide suitable company owned resources.
Many companies can, and do exactly that. Plenty of people have brought home a work-owned machine, which gets connected to VPN to the workplace network, all for doing work-related tasks.
In addition to practical reasons of license compliance and making sure employees don't get reclassified for using their own equipment, companies do that to ensure data stays on encrypted drives, to help reduce the risks that corporate data get syphoned off, and similar. A few companies that have strict hours for logistical re
Re: (Score:2)
... they are using *my* network and *my* rules apply ...
I bet they don't. The moment your employer says "install this on your laptop or you walk", you'll be installing stuff you don't want on your laptop.
Or, maybe *you* won't, and you'll walk instead; I don't know you specifically. This is about corporate ruling and how far it goes, and there are plenty of examples where $AUTHORITY tells you to do something to your own device (i.e. install productivity benchmarks, cheating protection for exams etc) you don't want.
Use the history function of your browser: slashd
Re: (Score:1)
Re: (Score:2)
Anonymous Coward is projecting stupidity from his mind into my post.
1) I never said ANYTHING about what is acceptable or unacceptable for a government to do. My last statement implied that I would rather they not do it, but I did not say that them doing it was wrong in any way.
2) My post was 90% about how this same relatively small, weak government had tried to do this before and how large international corporations had foiled them before, and that this time was not likely to be succesfull.
Re: (Score:3)
So let's get this straight... you think it's unacceptable for governments to MiTM HTTPS traffic of their citizens yet you allow companies around the world to do the same thing to their employees? How is one different than the other?
Where I live (in the EU) that would be highly illegal for companies too.
Re:Lets try the same thing that failed before! (Score:4, Insightful)
I live and work in the EU (until the end of the month) and yet my employer does MitM interception.
Re:Lets try the same thing that failed before! (Score:4, Informative)
I live and work in the EU (until the end of the month) and yet my employer does MitM interception.
Just because an employer does it, does not mean it is legal. Many managers have this wishful thinking idea that the law is always what they imagine it to be and not what it is. That is especially the case because if you intercept communications and inevitably end up holding sensitive and personal data (employee's sexual, gender, religious or similar preferences) you become subject to the GDPR and the very highest levels of fines.
In the UK at least it is limited by The Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018 [legislation.gov.uk], and limits you to compliance purposes (for call centres) and anti-hacking. If you are using it to spy on office gossip or your boss's email rather than legitimate business purposes you are subject to the same criminal sanctions as someone wiretapping a phone line.
Re: (Score:2)
Re: (Score:2)
That was addressed in . [europa.eu]
Companies in the EU can absolutely run MitM on encrypted network traffic, as well as monitor detailed use. There are some hoops to jump through, whitelists must be maintained, and every employee must be notified, but it can be done within the scope of GDPR.
Various "legitimate interest" include virus and malware scanning, reducing bandwidth needs through caching, or getting through corporate security proxy devices that reduce the risk of corporate data being leaked.
In order to rely on [legitimate interest] as the legal ground for processing it is essential that specific mitigating measures are present to ensure a proper balance between the legitimate interest of the employer and the fundamental rights and freedoms of the employees. Such measures, depending on the form of monitoring, should include limitations on monitoring so as to guarantee that the employee’s privacy is not violated.
It can also be done
Re: (Score:2)
Unless, of course, you receive a Patriot Act order which may never have been seen by a judge and which is illegal to reval that you ever received.
https://www.aclu.org/press-rel... [aclu.org]
Re: (Score:2)
That is especially the case because if you intercept communications and inevitably end up holding sensitive and personal data (employee's sexual, gender, religious or similar preferences) you become subject to the GDPR and the very highest levels of fines.
Just to clarify, your examples are of data the GDPR defines as _especially_ sensitive and triggering extended requirements for collection and protection. Any personal information whatsoever would make it subject to the GDPR, even if entirely innocuous.
As an aside, I don't know about your colleagues, but in my experience things like sexual and religious preference is not something I find to inevitably find its way into workplace correspondence. :p
Re: (Score:2)
CVs are full of personal data covered by the GDPR.
Re: (Score:2)
Did I say they are not?
Re: (Score:2)
As an aside, I don't know about your colleagues, but in my experience things like sexual and religious preference is not something I find to inevitably find its way into workplace correspondence. :p
Agreed, though it is very easy to impute from web browsing history with an intercepting proxy. Let's say you book a health appointment or access your personal email, there is a good chance you'll give away sensitive data.
Re: Lets try the same thing that failed before! (Score:2)
Limited to compliance purposes? Compliance translates directly to following the law.
A Kazakhstan ISP doing SSL interception when the law requires it is doing it for compliance purposes... just saying.
The laws are wildly different in scope, yes, but... limited to compliance purposes, that made me laugh, that can't be the argument.
Re: (Score:2)
Why don't you submit a complaint?
Re: (Score:2)
I live and work in the EU (until the end of the month) and yet my employer does MitM interception.
Do they though? I live here too and all traffic is pumped through their network when I'm in the office (so maybe next year) or VPN. That means they would be able to read plaintext communication, just like any ISP, but that doesn't mean that they're decrypting my slashdot posts over HTTPS.
Right to disconnect (Score:2)
Re: (Score:2)
Hopefully only where absolutely necessary and not on your desktop work computer.
There are allowances for exceptions, but they are pretty strict. Of course I live in Germany and privacy laws are a bit harder here than in the rest of the EU.
Re: (Score:2)
I have yet to find a EU country where this is legal, so in most EU countries that is illegal at least.
I have not checked all, but as we have customers in a lot of them and deal with communications, so this comes up now and then so I have had to check and have not found one where it is legal.
That is not to say that there is not one or more where it is legal..
Re: (Score:2)
In the UK it's allowed provided that consent is obtained - usually via the employee handbook that everybody gets when they start work.
It's also allowed in Romania as this (somewhat) famous case showed:
https://parissmith.co.uk/blog/... [parissmith.co.uk]
From the "Speed read" bit partway down that page:
1. Monitoring of employeesâ(TM) IT use and systems at work can be lawful. This is clear. There is no overarching right to privacy which allows employees to do what they like at work when using an employerâ(TM)s IT syst
Re: (Score:3)
Very simple. The owner of the device wants to protect their data. Hint, the owner of the device is the company, not the employee.
Stick whatever tracking tools you want on the laptop you give me. I'll use it for work alone.
Try and stick those tools on my own devices, and I'll tell you somewhere else to stick them.
Re:Lets try the same thing that failed before! (Score:4, Interesting)
A lot of people here seem to be misunderstanding how regulation works in practice, for example someone talking about GDPR. Firstly GDPR isn't relevant to observing traffic, it would only be relevant to data you retain. Secondly, the policies your employees using the equipment will have to sign cover should cover the use and retention of data. Thirdly, the data existing on a system isn't suffiient to make it a GDPR breach; to give an extreme example because it isn't the simplest of areas: If I use Gmail in the browser on a work machine then it will cache content, that content could very well include data that would be restricted but there are no circumstances under which the company would get in trouble for that data being on that machine.
Re: (Score:2)
If I use Gmail in the browser on a work machine then it will cache content, that content could very well include data that would be restricted but there are no circumstances under which the company would get in trouble for that data being on that machine.
If they sell that machine without wiping it first, then I believe they would be. Not because the company actively collected the data, but because they should reasonably be expected to understand that a PC used by an employee will also likely be utilized for some personal use and thus might contain some kind of personal data. The same applies if they were to dig into the cache after the employee has turned in their computer. Doing so out of curiosity = instant GDPR violation. You did not get consent, and you
Re: (Score:2)
because they should reasonably be expected to understand that a PC used by an employee will also likely be utilized for some personal use
Unless they post a company policy to the contrary. Company computer: Do not use for personal information. Not permitted under the GDPR? Then be prepared to work for a company that blocks all access to outside services not required for work. I used to work for an outfit that had a rack of machines with a Google logo on them in their server center (I had permission to work in the server room for other system support reasons). I asked an IT guy what those were and he said that anyone who did a Google search we
Re: (Score:2)
I don't really know if the GDPR has a stance related to using company equipment for personal use, but our (Norway) laws do. E.g. for a company phone it is assumed you will use it for some personal calls and you are taxed a set amount for that. The same assumption is made of computers, which is one reason why an employee's emails cannot be accessed without obtaining consent unless you have a valid reason to violate their privacy.
Re: (Score:2)
You're making my point. It isn't processing/observation of data that matters it's retention/storing. Most companies are going to have endpoint protection, firewalling, spamfiltering etc that process data which will include information covered by data protection regulation
Re: (Score:2)
This seems to be veering into semantics. You cannot process what you do not have access to, and you cannot access what is not stored in some fashion, even if temporarily. What exactly is your claim? That unmanaged switches are not a GDPR issue in and of themselves? If so, sure, no argument from me. What other kinds of processing/observing personal data are you thinking of that does not ever create a log entry or cause any kind of traceable action? "Data processor" is a term within the GDPR, and it is not i
Re: (Score:2)
It is not only GDPR, and you are right in that GDPR is limited in this regard as it is not meant for this.
But majority of EU countries at least seem to have laws about datatraffic security.
They are bit different in different countries, but in general communication that the sender wants to be private should be kept so unless some overriding thing like another specific law(like anti-terror laws) says otherwise.
In general the companies have no specific rights to your private communications in such cases, excep
Re: (Score:2)
Care to give an example of where a company has gotten into trouble due to browser caching on user devices, the only type of activity I said there wouldn't be trouble for? There are plenty of other things companies could be fined for, and they would all be equally irrelevant to that point.
Re: (Score:2)
Firstly GDPR isn't relevant to observing traffic, it would only be relevant to data you retain.
I don't understand the distinction. In many cases 'traffic' becomes data that I retain (and vice versa). If it's not OK to snoop on my data stored on some system (mine, the cloud or some organization I do business with) then why would it be OK to sniff that same data en route?
Re: (Score:2)
Re: Lets try the same thing that failed before! (Score:2)
Simple. I can use my personal computer on my personal internet to do my personal stuff and my employer won't see a single bit.
When the government eavesdrops at a national level, nothing I do is outside of their sight.
Unpaid lunch (Score:2)
The company has right to know what people working for them do in their paid time.
Except in the unpaid gap between returning from lunch and clocking back in.
Re:Lets try the same thing that failed before! (Score:4, Interesting)
1. The usual suspects (the lot of them listed in the article) regularly do not comply with legal intercept requirements outside USA. While installing a government certificate is an extremely blunt tool, it is a natural result of Google being a law of its own. I'd frankly have Google comply with laws where they operate instead. At the same time, Google and co stream information real time to Langley and Gloucester (do not do as I do, do as I say). The most recent "investigations" by the well known "approved prepared leak" team "The Mi6Sider and the CIACat" (names correctly spelled) prove that 100% - they contain location data which could have been obtained only this way.
2. There are two mechanisms for blacklisting. A) updates (blacklisting in code), B) marking the cert as invalid in OCSP. Kazakhstan did not do its homework the first time and did not define a legal stick (or should it be legal baseball bat) for A). That, I believe is in place now. B can be blocked. Will this suffice - no idea.
In any case - it's their country, their laws and their decision. Is it right? Of course not. Do they have a choice? See 1.
Re: (Score:2)
Nothing new (Score:5, Insightful)
Data loss incident waiting to happen (Score:4, Interesting)
Re: Data loss incident waiting to happen (Score:2)
They're one server compromise away from giving blackmail material to the dark web.
Erm.. aren't we all?
Re: (Score:2)
They're one server compromise away from giving blackmail material to the dark web.
Erm.. aren't we all?
It helps if you refrain from gathering all the material they need into once nice database and link it back to user identities. At least make them have to break into multiple systems.
Re: (Score:2)
Cloudfare offers this as a helpful service to my university.
There's a difference to MITM corporate owned equipment (standard practice), a privately run network (somewhat standard practice), and citizens of a nation by the government (definitely not standard practice).
I'm sure Cloudflare (note there's an L in the name) would show give the Kazak government the choice of seeing 2 of 10 possible fingers.
and this will mess up IOT hardware that will get t (Score:3)
and this will mess up IOT hardware that will get tripped up by this.
Will they also block VPN's?
Re: (Score:1)
---
Re: (Score:2)
Fuddy-duds (Score:1)
They got tired of outsiders calling them a "buy a vowel" country.
Re: (Score:2)
Actually, they got tired of all the bad publicity Borat brought them, so they just decided to run with it [avclub.com].
Re: (Score:3)
One of their politicians has a paper-mache Borat with devil horns greeting people who come into his office. "Democracy doesn't mean that everything is allowed... He crossed the line", he says of the movie. "He is Satan... I'll shoot him. I'll destroy him." He then proceeds to pull a rifle out from behind his office cabinet and start swinging it around. Later, he says "I want people to see the real Kazakhstan. Borat showed you dirty gypsies."
For some strange reason... these kind of interviews weren't doing m
Re: (Score:2)
"Democracy doesn't mean that everything is allowed... He crossed the line", he says of the movie.
But, if you actually listen, he was talking about the limits of behavior that every society has, not ones that the government imposes. Big difference.
Well there ya go! (Score:4, Funny)
I knew HTTPS was good for something
Cybersecurity exercise? (Score:2)
Nudes.
Re: (Score:1)
See? CAs always were the fallacious achilles heel. (Score:2)
And the fact that the browser "vendors" ultimately tell you what to trust and what not, makes this even more of a obvious complete freaking joke.
The only case where this works, is if th CA is yours, and there is not a single other root certificate installed.
A browser should never ever say "This is Google.com.", but always ... oh fuck, I just clicked the encryption info and it says "Google Trust Services".
I quit. No need to add anything. It's already plain to see for everyone, how insane this is.
Make Secret Glorious Internet Secure of Kazakhstan (Score:4, Funny)
"Begins" ? (Score:3, Interesting)
One of the criticqal features of cloud hosting is the possession of the SSL keys by the cloud provider to serve any HTTPS enabled proxies. This means the SSL keys are available, unencrypted, to the cloud provider, especially for those cloud services hosted in Shanghai and whose internal SSL based traffic has a "mysterious" delay of roughly 100 msec typical of an intermediate SSL man-in-the-middle attack, even for entirely internal traffic such as S3 traffic to Amazon. It's very difficult to beli4ve that Amazon is not cooperating with the Chinese gonement to enable man-in-the-middle monitoring. It's legal under Chinese law and verious treaties, it's simply reprehensible and unethicald to provide the "service" without notifying clients.
Will make browser manufacturers more keen on ESNI (Score:3)
I wish the browser manufacturers would acknowledge that there are genuine cases where MitM interception is appropriate and then cases where it isn't.
I use MitM at home to block traffic from my own devices connecting to places that I don't want them connecting to. But I'm aware that it's happening, I understand that it is happening and I consent to it happening.
DoH plus ESNI potentially risks me losing all control of my own devices, where they're connecting to, and what they're doing. Fortunately, there are too many big employers who need this MitM interception facility so currently it's all avoidable and hopefully will be for a long time!
Re: (Score:2)
They do.
Almost every school and workplace deploys MITM SSL. You just set a group policy or two, and hey-presto. DoH is similarly under your control as an IT admin, and ESNI shouldn't affect anything if you're MITMing.
The thing is - that's on computers that you CONTROL, and have admin rights to. Doing it on machines you do not control should, rightly, flag it up as an extremely serious problem. Which is what browsers do.
And when you're a government trying to do that by diktat to millions of people throug
Replacing all devices with trustworthy devices (Score:2)
The thing is - that's on computers that you CONTROL, and have admin rights to.
The problem in grandparent's post arises with computers that you own but don't control. Common examples are home entertainment devices and "Internet of Things" devices.
DO NOT allow things on the Internet that you do not trust.
Good luck making a trustworthy replacement for every device in the average home or vehicle. One issue with wider adoption of devices that respect the user's freedom is that the entertainment industry sees such devices as a threat to their business model. How can advocates of user freedom get the public to care more about user freedom than abo
Re: (Score:2)
This really just shifts the burden from NIDS to HIDS/endpoint inspection. TLS 1.3 will all be push companies the way as well. Sure I can't snoop the data in transit, but I can sure as hell snoop on my end of the connection.
Re: (Score:2)
Does that help when the connection might be being established by a piece of javascript?
Short of having a purpose built client - in which case you might as well customize it to go through a MITM proxy anyway - you still cannot easily tell what information it is sending where.
ISTM that the most likely eventual endpoint is a browser that doesn't do TLS1.3 and a proxy that does. The browser might actually end up HTTP only.
Re: (Score:2)
If software on the host can not inspect and see every network connection that hosts makes, the OS itself must be compromised.
Re: (Score:2)
You can tell what IP you are connecting to but not which host.
Re: (Score:2)
I think we are using the term "host" differently.
Host = the machine running the inspection software, aka the client you are sitting at.
Your host = the web server you are connecting to.
I'm talking about running inspection software directly on the client. Why would my computer be unable to see or inspect the actions it is taking?
Re: (Score:2)
How is your "protection" software, running on your computer, going to be able to tell what the javascript in a webpage is doing and where it's connecting and what data it's sending out or downloading?
You cannot even block individual websites reliably based on IP address due to (AWS in particular) many, many hosts running on shared IPs or IPs that regularly change.
Quite a lot of my home filtering is just SNI inspection and the encryption is end to end.
Re: (Score:2)
The same way this works https://support.cloudshark.io/... [cloudshark.io]
I'm sure CrowdStrike or CarbonBlack can do this today.
Re: (Score:2)
I only looked at the front page but this looks like it's a front end to wireshark.
Sure you can see what IP a machine is connecting to. But with ESNI and HTTPS all you can tell is that you're connecting to AWS, you have no idea which particular host you might be connecting to.
With ODoH you also cannot tell what DNS it is requesting. So you don't even have the option of (trying to) correlate DNS requests with IP connections.
I don't see what advantage running cloudshark on the host has over running it on the e
Watch as their internet falls apart (Score:5, Interesting)
In a broader setting this bullshit will cripple Kazakh economy, have a chilling effect on outside investment, interfere with company operations, and for normal people will break their devices in random ways. Updates won't work, games won't play, streaming services will break and so on. And consequently ordinary citizens will make criminals of themselves simply to circumvent the heavy handed paranoid bullshit that shouldn't have been implemented at all.
Kazakh-in-the-middle (Score:2)
No matter (Score:2)
We'll just start transmitting in lower case!
Oh, wait...