
Kazakhstan Attempts to MITM Its Citizens - lelf
https://www.f5.com/labs/articles/threat-intelligence/kazakhstan-attempts-to-mitm-itscitizens
======
chupa-chups
17 days ago:
[https://news.ycombinator.com/item?id=20472179](https://news.ycombinator.com/item?id=20472179)

------
StudentStuff
> An increasing number of businesses are legitimately intercepting encrypted
> traffic on their networks. It’s pretty much a necessity today.

This is blatant FUD right in the intro, trying to push F5's known bad TLS MITM
hardware: [https://timtaubert.de/blog/2016/09/tls-version-
intolerance/](https://timtaubert.de/blog/2016/09/tls-version-intolerance/)

~~~
userbinator
It's not black and white. I have a MITM proxy on my network that I use to
remove ads, modify pages, and block sites, among other things.

In fact, I recommend anyone with "smart"/IoT things on their network to use
one, and find out what they're saying...
[https://news.ycombinator.com/item?id=6759426](https://news.ycombinator.com/item?id=6759426)

~~~
maxaf
There are plenty of “smart” IoT devices that use client-side cert pinning as a
defense mechanism against MITM attacks.

~~~
jjeaff
They wouldn't even need cert pinning would they? Just cert validation. Unless
you have access to the device to install an alternate ca, then regular cert
validation is going to fail when it reads your fake cert issued from a non-
authoritative source.

------
mholt
Both Caddy[1] and Cloudflare[2] use a published technique to detect MITM, and
(speaking as the author of Caddy), we want to make sure our systems can detect
this travesty as well. If you are on an affected network and if it is safe to
do so, would you please let us know if Caddy's MITM detector picks it up?

[1] [https://caddyserver.com/docs/mitm-
detection](https://caddyserver.com/docs/mitm-detection)

[2] [https://malcolm.cloudflare.com](https://malcolm.cloudflare.com)

------
burtonator
Governments would never use this data for nefarious purposes like selling it
to your competitors for money or killing religious minorities .

------
TazeTSchnitzel
Will Mozilla, Google, Microsoft or Apple blacklist the certificate?

------
Svoka
Silly joke: we call it "Kazakh in the middle"

