
Mozilla takes action to protect users in Kazakhstan - soheilpro
https://blog.mozilla.org/blog/2019/08/21/mozilla-takes-action-to-protect-users-in-kazakhstan/
======
usernameis42
Fella from Kazakhstan is here, the thing is that state government claims that
they had finished certificate testing and provided instructions how to remove
it from the devices two weeks ago ([http://knb.gov.kz/ru/news/v-otnoshenii-
sertifikata-bezopasno...](http://knb.gov.kz/ru/news/v-otnoshenii-sertifikata-
bezopasnosti)).

I never installed that certificate and had to use VPN during this time. Still
some of the people have connection issues with certain sites like facebook,
gmail, etc.

Some of the companies had sued government and mobile carriers for that
connection issues.

In my opinion Mozilla and Google made a right decision, there is a lot of
talks of how good is Kazakhstan now for doing business, the taxes are low,
it's easy to get a visas for foreigner employees, and by doing this they are
losing trust to themselves.

I don't think they will manage to make a fork of some of the browsers, simply
because level of the our software production is kinda low, especially in
goverment sector, and people will definitely not use the browser if they will
attempt to make one, they will manage to use VPN and will find other ways to
just use the "normal" software.

~~~
ignoramous
> I don't think they will manage to make a fork of some of the browsers,
> simply because level of the our software production is kinda low, especially
> in goverment sector, and people will definitely not use the browser if they
> will attempt to make one

Well, they could always license browsers from other vendors, which they will,
if things need to go that extent.

> they will manage to use VPN and will find other ways to just use the
> "normal" software

Are users in Kazakhstan willing to pay extra $5 or more per month for VPNs
that respect user-privacy? If not, using free VPNs is going to only make
matters worse. In India, where porn is blocked, users typically resort to
using Telegram or free VPNs to satiate their desire for it; most wouldn't pay
$2 per month for VPNs, even when they could afford it (since $0 VPNs are a
click away and unblocks porn for them).

~~~
Ajedi32
I can't imagine how a free VPN could be worse than an actual government-
sponsored man-in-the-middle attack, particularly since VPNs don't force you to
install their own CA certificate (and therefore can't intercept HTTPS
connections).

~~~
ignoramous
Agree, but: Most free VPNs are run by state-owned actors, may also in fact be
honey-pots, which are now dripping with meta-data for literally everything you
do on the Internet. Whilst that is not strictly worse than MiTMd HTTPS, it is
still a step in the wrong direction.

~~~
stevenhubertron
Not saying you are wrong, but I would love a source for this statement.

~~~
ignoramous
I guess you mean source for state-owned VPNs?

My other comment has this ref:
[https://news.ycombinator.com/item?id=18525041](https://news.ycombinator.com/item?id=18525041)

And Lantern, a P2P VPN popular with the Chinese is backed by CIA (so is Tor):

[https://news.ycombinator.com/item?id=20373425](https://news.ycombinator.com/item?id=20373425)

~~~
ironlenny
I'm not quite sure what you're insinuating about Tor. Tor is an opensource
project govern by a non-profit. If you're worried about things like backdoors,
that's why it was opensourced in the first place.

I'm not sure how you're connecting the CIA with Tor. I wouldn't be surprised
if the CIA uses Tor. I know the State Department does.

~~~
mankeysee
Tor is open source but nobody knows who runs the nodes

~~~
ironlenny
It's a distributed anonymous network. It wouldn't be very useful if we knew
who was running the nodes.

~~~
mankeysee
Of course. I am saying mentioning its open source says nothing about whether
some of the nodes are CIA operated, etc

------
ignoramous
> We encourage users in Kazakhstan affected by this change to research the use
> of virtual private network (VPN) software, or the Tor Browser, to access the
> Web

Mozilla should be careful suggesting the use of VPNs (without providing a
disclaimer) since most of the well-marketed ones are, for all intents and
purposes, MiTM blackboxes [0], owned by state-actors in some cases [1].

For people looking to make an informed decision, take a look at
[https://thatoneprivacysite.net/#detailed-vpn-
comparison](https://thatoneprivacysite.net/#detailed-vpn-comparison) or setup
one yourself
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

If folks do inadvertently flock to free VPNs, the situation would get way
worse (tracking now not just limited to HTTPS, but everything above layer-2).

[0]
[https://news.ycombinator.com/item?id=19601503](https://news.ycombinator.com/item?id=19601503)

[1]
[https://news.ycombinator.com/item?id=18525041](https://news.ycombinator.com/item?id=18525041)

~~~
squeaky-clean
LinusTechTips did a video on anonymous browsing with VPNs and TOR yesterday
and I wish they had been more serious on this bit. The top/pinned comment when
I viewed was along the lines of "What is a good free VPN, not a trial", and
LTT themselves responded something like "None. Bandwidth costs money and you
should be suspicious of a VPN that doesn't make money in a clear way." Still,
I bet 99% of viewers won't see a comment response.

But even then, and I realize this gets a bit tinfoily, but as a thought
experiment, is there a really good, reasonably trustless, way to vet a VPN?

For example I use PIA because of word of mouth and a few incidents in the past
which show trustworthiness. But how can I really prove they're not secretly
backed by China and I'm paying $5/mo for higher priority access to a Chinese
VPN farm? Or at the very least that they are honest on any given day about not
retaining log data.

~~~
lunchables
I don't know if this is helpful, but I'll mention it because it works well for
me.

I use a Digital Ocean droplet and local forwarding.

$ ssh -q -D [port] [droplet-hostname]

Then setup my browser to use a proxy at localhost on [port]. Works great. You
can get a "droplet", in Digital Ocean Parlance (i.e., "VPS") for as little as
$5/mo, which includes 1TB/mo of data transfer. I assume other options like
Linode, Vultr, etc would work as well.

~~~
aardshark
There is also sshuttle, which will forward all TCP traffic on your machine to
anywhere you can ssh into and run a python script:
[https://github.com/sshuttle/sshuttle](https://github.com/sshuttle/sshuttle)

It's very easy to use and setup, just do

    
    
      sshuttle -r username@12.34.56.789 0/0
    

That's it. All your TCP traffic is now going through your remote server. If
you want DNS requests to go through as well, you can add the --dns option.

~~~
bayesianbot
I've been using sshuttle for a while and it works great. But I've always had
to exclude (-x) the host address from trying to route through the sshuttle
itself and ending up in a loop:

sshuttle -r username@12.34.56.789 -x 12.34.56.789 0.0.0.0/0

------
nurbo
A fellow from Kazakhstan here again.

This is a HUGE win.

This might not work for some countries, but it does work for us. Kazakhstan is
not China, we are not technologically-independent, and the government doesn't
have an iron grip on its people. Forking open-source browsers and forcing to
use them is not a feasible option for our corrupt government. While the
solution of blocking a specific CA might not be elegant or permanent, it does
send a strong message to our and other governments who have been thinking of
MITM-attacking their citizens.

~~~
jopsen
> ...it does send a strong message to our and other governments...

It also increases security for users.

------
korethr
I applaud Mozilla and Google for this.

It does get me wondering however, how viable this would be in other countries.
Say, what if the UK or the US were to try to pull something like this. There's
not much that Kazakhstan can do against Mozilla. However, if something similar
were tried here in the US, it seems to me Mozilla would be a lot more
vulnerable to government retaliation, or being forced to do what the Fed says
whether they want to or not. The Mozilla Foundation is incorporated here in
the US. Those board members whom are not US citizens could be deported or
prevented from entering the US. Those board members whom are US citizens and
residing here could be arrested. The IRS could be weaponized to revoke their
501(c)3 status. There's probably other things I'm not thinking of.

I'm not saying the US is quite that bad, or that it's going to get that bad
here soon. But I don't think it's unreasonable to think that such _could_
happen if people don't remain vigilant. We need only to look at the history of
other nations abroad and our own history here to see just how quickly and
easily it can and has gotten that bad in the past.

Again, I'm glad of Mozilla's and Google's technical solution to this problem.
But, as it seems governments continue to lean in this direction, I worry that
failing to pursue the policy angle in addition to the technical angle when
addressing these problems will cause the technical solutions to be or become
brittle.

Edit: I was reminded that donations to groups who _do_ pursue the policy
angle, like the EFF, would be more effective than handwringing on HN. I would
encourage those of you whom are also concerned about this to do the same.

~~~
grlass
Worth looking at what the response to Mozilla's DNS-over-HTTPS system in the
UK has been. Disabling it by default is a good way to avoid conflict, but
means that the feature effectively doesn't exist for the vast majority of
users.

[https://www.zdnet.com/article/mozilla-no-plans-to-enable-
dns...](https://www.zdnet.com/article/mozilla-no-plans-to-enable-dns-over-
https-by-default-in-the-uk/)

~~~
vbezhenar
Mozilla takes action to protect users in Kazakhstan.

Mozilla does not take action to protect users in UK.

That's funny.

------
intsunny
Are Apple and Microsoft taking any actions?

I remember being disappointed in both Apple and Microsoft when it came to some
fraudulent certificates from China [0]. IIRC the situation was worse for
Iphone users who have no way of manually revoking CAs on their phones/tablets.

[0]
[https://en.wikipedia.org/wiki/China_Internet_Network_Informa...](https://en.wikipedia.org/wiki/China_Internet_Network_Information_Center#Fraudulent_certificates)

~~~
dredmorbius
Yes: "Google, Mozilla, Apple Block Kazakhstan's Root CA Certificate to Prevent
Spying"

[https://thehackernews.com/2019/08/kazakhstan-root-
certificat...](https://thehackernews.com/2019/08/kazakhstan-root-
certificate.html)

(Submitted:
[https://news.ycombinator.com/item?id=20758426](https://news.ycombinator.com/item?id=20758426))

------
raesene9
I'm glad to see the browser developers being proactive to help protect users
from this kind of thing.

I'll be very interested to see what happens when it's countries they have more
connections to, who start doing this kind of thing.

For example in the UK it seems likely that the Digital Verification Act will
require ISPs to block access to pornographic sites that don't comply with the
legislation.

Given the rise of DNS over HTTPS, it'll be hard to comply with that
requirement without some form of MITM, so if the UK ISPs do that, will
Mozilla/Google/MS/Apple also block their certs...

~~~
jcranmer
> Given the rise of DNS over HTTPS, it'll be hard to comply with that
> requirement without some form of MITM.

Or the ISPs could just set up null routes to those IPs.

~~~
xg15
Many of the IPs will likely belong to CDNs or shared hosters, so that would
instantly make a larger number of unblocked sites unusable as well.

------
FPurchess
Now that's a really funny quote:

“We will never tolerate any attempt, by any organization—government or
otherwise—to compromise Chrome users’ data. We have implemented protections
from this specific issue, and will always take action to secure our users
around the world.” — Parisa Tabriz, Senior Engineering Director, Chrome

while GNU just released this page: [https://www.gnu.org/proprietary/malware-
google.en.html](https://www.gnu.org/proprietary/malware-google.en.html)

and Google admit they had to give in to sharing information about their users
with the US goverment.

------
saagarjha
> Each company will deploy a technical solution unique to its browser. For
> additional information on those solutions please see the below links.

Firefox is blacklisting the Kazakh certificate, while Chrome will prevent it
from being installed.

~~~
Ajedi32
Chrome isn't preventing the certificate from being installed, they just added
it to a CRLSet, so it'll be treated as revoked even if it is manually
installed. Firefox is doing basically the same thing I think, probably adding
the cert to OneCRL.

~~~
saagarjha
I must have misread "Chrome will be blocking the certificate the Kazakhstan
government required users to install" as "Chrome will be blocking the
certificate the Kazakhstan government required from being installed".

------
darkwater
This is frankly big, an explicit black-list inside the browsers code to
circumvent a state-base MITM attack. My only concern is: they could easily
MITM and redirect users trying to downlaod this new Firefox/Chrome versions to
old unpatched ones and just break the automatic update process. Although I
hope that they already started distributing this update silently (like all the
chrome/firefox updates) before announcing it

~~~
jopsen
The can't MITM automatic updates, they could break them.

Asking users to install old versions of Firefox is hard. The entire country
would be exposed to security vulnerabilities.

Forking Firefox is not easy. And it's doubtful users will want to use a fork.

------
bscphil
> In 2015, the Kazakhstan government attempted to have a root certificate
> included in Mozilla’s trusted root store program. After it was discovered
> that they were intending to use the certificate to intercept user data,
> Mozilla denied the request.

This strikes me as odd. Does this mean that political authorities (or major
tech companies) _can_ get their roots in the program, as long as there's no
direct evidence they're using it to MITM? Seems like you'd want the opposite
policy, where to get your root in the program, you have to sign a bunch of
agreements about how you're going to use it and submit to regular audits to
make sure you're not misusing your new authority.

Maybe I'm reading too much into this though.

~~~
zifnab06
I believe most (if not all) current browsers require public CAs to use a
certificate transparency service to prevent this.

------
prepend
I wish this would be more broadly supported. My organization MITMs all ssl
traffic on network because they deploy custom CAs to every machine.

I think this practice is harmful but there’s nothing I can do to stop.

~~~
urda
Your org has every right to MITM your connections. You are on their hardware,
on their line, doing work for them. You should have no expectation of privacy
at work, and this includes your computer usage.

~~~
prepend
They have every right to do lots of annoying an inefficient practices. That
doesn’t mean it’s a good idea to do so.

------
lone_haxx0r
From the "Mozilla" link:

> To protect our users, Firefox, together with Chrome, will block the use of
> the Kazakhstan root CA certificate. This means that it will not be trusted
> by Firefox even if the user has installed it.

I don't like this (to be honest, I don't like the whole "certificate
authority" thing to begin with).

I don't think my browser should meddle in my relationship with the state.

Why don't they also block every CA residing in the US? The US government
coerces companies into giving away private data. How do we known that they
don't share their private keys with the US government? Will Mozilla & Google
take the blame when this happens? because they've declared themselves the
guardians of certificate trust.

What if I legitimately need to install this certificate?

~~~
ceejayoz
> I don't think my browser should meddle in my relationship with the state.

Mozilla doesn't think the state should meddle in your relationship with them,
or the rest of the Internet.

> Why don't they also block every CA residing in the US?

Because there's no evidence they're controlled by the US government in the way
Kazakhstan's cert clearly is.

~~~
lone_haxx0r
> Mozilla doesn't think the state should meddle in your relationship with
> them, or the rest of the Internet.

I don't want to have a relationship with Mozilla. I use their browser to
communicate with other people. The browser is merely a tool, and I would
expect it to allow me to communicate with anyone I want (as long as it's
technically feasible), not only people that Mozilla approves of.

~~~
dantondwa
What's your point? Mozilla and Google here are preventing the government bogus
CA from being used to bypass encryption. You can talk to whoever you want, and
in full safety (as opposed to doing so while being spied by a tyrannical
government like Kazakhstan).

~~~
rocqua
Advocating for the devil here.

Installing a cert in the local root store means 'I fully trust the owner of
this certificate'. It is an intentional feature of TLS to use this to be able
to _consensually_ MitM a TLS connection.

Yet here, western companies have decided that, regardless of whether the user
wants to be Man in the Middle -ed by Kazakhstan, they simply cannot. This is
inherently a political and not a technical decision. What Kazakhstan is doing
is not actually breaking TLS, but instead using a feature.

~~~
Ajedi32
I guess the real problem is that it's not immediately obvious to non-technical
users what the implications are of installing a government-issued MITM CA
certificate.

That could potentially be fixed with better UI, but even then it's rather hard
to communicate the danger when the user is under the influence of a social
engineering attack from _their own ISP_. (E.g. "This certificate is needed to
ensure your security. Just ignore that warning from your browser, it's not
important.)

~~~
rocqua
This is not a social engineering attack, or at least it need not be. It is
simply made a requirement; block any connections to the outside that do not
use the certificate. Then people have a choice of no HTTPS (which blocks many
big sites) or HTTPS that is MitMed by the government.

Incidentally, the above is why the 'consensual MitM-ing through a root-Cert is
a feature of TLS' does not hold op. It is not consensual, it is not even
coerced, it is a hard requirement. You could then go into an argument about
national sovereignty / complying with local laws, but that is a totally
different argument.

------
AdmiralAsshat
I'm somewhat surprised that Mozilla went this route, because I recall during
discussions, there was concern that explicitly blacklisting a country's root
CA could lead the country to simply fork and release its own nation-state
browser with the root CA trusted. That would be bad for everyone for many
reasons, not the least of which being that the nation-state forked browser
would likely be perpetually behind the main branch in terms of bugfixes and
security updates.

Maybe because Google agreed to do the same?

~~~
devoply
Could you not generate any random private certificate and force your users to
install it?

~~~
Ajedi32
That's exactly the behavior Firefox, Chrome, and Safari are blocking here.

------
peterwwillis
What would these vendors do if the US Government made a law requiring the USG
receive all US CA private keys, or some other encryption backdoor? Would they
be able to put these kinds of changes in, or wouldn't that be circumventing
the law?

~~~
zifnab06
Handling over CA keys wouldn't allow them to mitm things - you'd need the
server operators private key for that. This could allow them to issue new
certs, but they'd have to be added to certificate transparency to be valid,
and everyone would know rather quickly if they tried.

------
codedokode
Mozilla is a little late, to be honest, because now the testing of a "security
certificate" is over and the government (temporarily?) gave up an idea to
force everyone to install the certificate.

But I think it is important that OS or browser's UI would display true
information about consequences of installing a certificate because government
usually lies about it, telling something like it is necessary to protect users
when browsing the Internet. For example, Android shows a reminder when third-
party root certificate is installed and offers a quick way to remove it.

------
amq
Way too late, weeks after the CA has been deprecated by the Kazakh government.

~~~
usernameis42
It was deprecated, but still some users have connection issues, I still have
no access to a gmail from a office network without VPN. This is what I mean by
saying that our state software is lame, they deprecated the cert two weeks ago
and there is still issues with connection, and I'm sure they kinda don't care.

I have feeling that they had gathered database with usernames and passwords,
cause only certian sites were targeted to use mitm, mostly it was mail
services like gmail and social networks, facebook, youtube and others. Other
sites were working fine even without that cert.

And after that mitm they had to stop, due to people's discontent and lawsuits.
These are also reputational losses, it is unlikely that foreign companies will
want to do business in a country in which personal data treated this way and
where government wants to see all your passwords from email services and bank
accounts.

There was also a question about ensuring the security of a root certificate
that can decrypt data, it could easily get to third parties who could use it
for their own purposes.

~~~
Fnoord
One lesson to learn here for laymen, is that if isn't accessible, accept it as
is. Do not listen to the government by installing such a certificate.

------
vbezhenar
How do I override that blacklist and forcefully whitelist that certificate?

~~~
dredmorbius
Why would you want to?

~~~
vbezhenar
I think that currently this certificate is used in state organizations and I
have to work with Internet from there. Obviously VPN is not an option. I would
hate to use IE instead of Firefox just because of that. I guess I would use
some old version and prevent it from upgrade, but that's just stupid.

Also I really dislike that Mozilla wants to decide who should I trust. If I
added that certificate, it's my business, not theirs. They should encrypt
bytes and display HTML, not engage in foreign politics.

~~~
dredmorbius
The problem with "Mozilla should trust the user" is that the threat model
itself is _users being forced, coerced, or tricked into installing the cert_.

Presumptions of user autonomy, consent, or informedness are invalid.

Which means that the bypass process should be highly inconvenient.

I've addressed that separately in a direct response above -- might not be a
solution for you, but it's the direction I'd look to. Alternatively, you could
look for what Firefox's behaviour in the presence of locally installed certs
would be, though as noted above, given the threat model, it largely _shouldn
't_ do that.

Keep in mind that a large chunk of Mozilla, Google, and Apple's stance here
(and I suspect Microsoft will join them) is that this is a _very bad practice_
of CAs or governments, as not only will the browsers flag this practice, but
those certs _and a lot of collateral damage_ will result. This is by all
appearances deliberate and a strong message to _not do that then_ , to any
governments which are considering similary asshattery.

And _failing_ to respond forcefully to such actions and threats risks
compromising _all trust whatsover_ in the browser and CA models. Which are
rickety enough as it is. So Mozilla, Google, and Apple most definitely have
dogs in this fight as well.

------
option
great move! Please also join forces to help protect users in China and US

~~~
dingo_bat
Can't do that because that involves actual risk for Mozilla.

------
thinkloop
If the government secretly forces Network Solutions to provide all their
certificates can they read all encrypted traffic (that is secured by them)?

------
jupp0r
Good that they are taking action, however blacklisting that specific CA cert
seems like a hacky band aid fix. This is going to end in a cat and mouse game
and again shows how broken the whole CA system really is. What I whish they
would do is block all “enterprise” CAs and restrict verification chains to end
in a list of a few white listed CAs. I understand how disruptive this would
be, but in the end it would result in better security for everyone. There are
no legitimate reasons for breaking end to end encryption in my opinion.

~~~
AndrewDucker
That would result in that browser being banned by my company (amongst many
others). We have a regulatory requirement to prevent any customer data (and a
lot of other data) leaving the premises. Anything which prevents the proxies
from scanning all requests to ensure they don't contain regulated data would
get blocked very quickly.

~~~
prepend
There are ways to do this without intercepting HTTPS. Does your company
monitor all phone calls looking for Morse code? Does your company monitor all
photocopies? All photos taken with phones?

There are reasonable precautions that can be taken and proxying all traffic is
a bit of an overkill.

Interestingly, I’m waiting for some IP lawsuit as MITM is technically breaking
encryption and breaking encryption for DRM is against the DMCA. So MITM HTTPS
traffic to Spotify should be in violation of us copyright law. But I’ve never
heard of a case.

~~~
pferde
MITM in this context is definitely not "breaking encryption". You have two
legitimate, untampered-with TLS connections - one from the client to the
proxy, one from the proxy to the destination web server. Nobody is breaking
encryption used in these connections.

What this might be considered breaking instead is trust.

~~~
prepend
I think it’s legally grey. The expectation and design of the interaction is
that the channel is secure between client and server. The equipment is owned
by the company, not the individual. But the license is between the user and
Spotify. The company is accessing the IP without a license and only accessed
it by bypassing Spotify’s encryption.

I think it’s similar if Safari was MITMing requests without consent from both
parties.

I’m interested in a legal ruling.

------
lalalapokemon
Is there anything wrong with a country monitoring the opinions which can be
likened to propaganda that people are exposed to online? Every person's
opinion is a form of bias, every country has its own law's but who is right?
The biggest group of aligned points of view or minority groups with aligned
points of view? Why would a tech company like Mozilla or Google want to
undermine the legal system in a country?

~~~
__s
Why should Mozilla & Google support the legal system of a country?

This is like saying an arms dealer should sell to any government

The government was undermining the security features of the browser. The
browser is functioning to mitigate that interception. HTTPS is about having a
secure link between client & server, not client & server & government

~~~
vbezhenar
Many companies do that. That's apparently was OK. So Mozilla fully supports
MITM when it's a US company, but it does not supports MITM when it's a foreign
government. Talk about double standards.

~~~
roca
You can quit working at a company. Most people can't quit living in their
countries.

You can keep working at the company, and access company-monitored/blocked
sites in your own time with your own devices at home. No such option when the
government is mandating monitoring/blocking.

~~~
vbezhenar
Kazakhstan is not closed country. You're free to go anywhere.

------
badrabbit
Downvote all you want but this is not good. Mozilla is not above the law. A
government has sovreign (!!) rights which lets me spy on their users if they
so choose.

You can disagree with it. You can refuse to do business in that country. But
to actively work in hostility ti a foreign government is criminal.

I am surprised there are no US laws that would adversley affect Mozilla.

Your views and opinions,however well intended ,they do not supersede a
government's legitimate right to govern its citizens.

The only exceptions are human rights violations or crimes against humanity.
TLS intetception hardly counts as such. If it does,please prosecute US
corporations that intercept TLS before you meddle with a foreign country's
practices.

I think people forget that the internet does not supersede geographic
boundaries and legitimate (as in accepted as such by other nations)
governments.

~~~
AnimalMuppet
To amplify what vinceguidry said:

A government has sovereign rights... _within that country_. Not outside,
though. Why should Mozilla (which is not a Kazakhstan entity) be subject to
the laws of Kazakhstan? Should it not be subject to the laws of the US
(presuming it is a US entity)?

> I am surprised there are no US laws that would adversley affect Mozilla.

Why should _US_ law be subject to the law of Kazakhstan? That would kind of be
a limit on _US_ sovereignty, wouldn't it?

> But to actively work in hostility ti a foreign government is criminal.

No, it's only criminal _within that country_. If it's a foreign country, then
you're not within that country - that's kind of what "foreign" means. I do
what I do, paying attention to the laws of _my_ country. I don't pay attention
to the laws of other countries, _because I 'm not subject to them_. They can
pass all the laws they want. I don't care. I'm not following them, _because I
'm not there._

(Kazakhstan can, of course, freely prohibit Mozilla within its borders. It
certainly has the right to do so.)

~~~
dragonwriter
> A government has sovereign rights... within that country.

Sovereignty doesn't have bounds on scope, only on applicability. That is, it
applies to actions anywhere, by only to things brought within the practical
power (which isn’t the same thing as territorial boundaries) of the sovereign.

> Why should Mozilla (which is not a Kazakhstan entity) be subject to the laws
> of Kazakhstan?

Because there is no superior sovereign over Kazakhstan to say no. That's what
sovereignty is ultimately about.

> That would kind of be a limit on US sovereignty, wouldn't it?

That sovereign entities are in a state of perpetual conflict, and hat this
conflict is the only limit on the power of sovereigns, is a very old and well-
known observation about sovereignty.

> No, it's only criminal within that country.

Very few, if any, countries actually only criminalize conduct within their own
territory. Most criminalize some conduct whether or not it's within their own
territory, and some (including the US) criminalize certain conduct _only_ if
it is outside their own territory. In fact, in some cases there is broad
international consensus that nations _should_ criminalize certain conduct even
when committed by foreigners in foreign lands.

~~~
AnimalMuppet
> > Why should Mozilla (which is not a Kazakhstan entity) be subject to the
> laws of Kazakhstan?

> Because there is no superior sovereign over Kazakhstan to say no. That's
> what sovereignty is ultimately about.

 _But Mozilla doesn 't reside in Kazakhstan._ So what are you saying? That
Kazakhstan can make a rule that has zero real-world effect because they can't
enforce it, and because nobody can make them change their rule, they are
therefore sovereign?

~~~
dragonwriter
> But Mozilla doesn't reside in Kazakhstan

Which would be relevant if there were a global sovereign and the government of
Kazakhstan merely the regional administration beneath it of a particular
territory, and if that sovereign made it relevant. Foreign residency alone
doesn't immunize one from the rules of a sovereign either in theory or with a
sufficiently capable and motivated one, in practice.

> That Kazakhstan can make a rule that has zero real-world effect because they
> can't enforce it, and because nobody can make them change their rule, they
> are therefore sovereign?

Close, but not quite. Rather, Kazakhstan, being sovereign, can make whatever
rules it wants and is limited in applying them only by practical constraints,
mostly those applied by other sovereigns. It may or may not be able to
effectively apply it's laws to some conduct beyond it's borders; certainly
other sovereign entities have done quite a bit of that.

~~~
bscphil
> Close, but not quite. Rather, Kazakhstan, being sovereign, can make whatever
> rules it wants and is limited in applying them only by practical
> constraints, mostly those applied by other sovereigns.

And absent any practical way for them to enforce their rules, no one has any
good reason to respect them. Nor does their claim to "sovereignty" give them
any kind of moral imperative over the actions of people who do not reside in
that country on any philosophical theory of law that I am aware of. So without
a practical reason (the threat of force) or a moral imperative (patently non-
existent), why should Mozilla comply with their wishes?

If the smallest sovereign state in the world passed a law that said that
marriages in the United States were invalid if they were between two people of
the same gender, would anyone care? Should they?

