
MITM on HTTPS traffic in Kazakhstan - bzbarsky
https://bugzilla.mozilla.org/show_bug.cgi?id=1567114
======
noragami
Hijacking the comment for better visibility. After getting some backlash, the
government has already backed down. They claim that installing the certificate
is entirely voluntary.

[https://rus.azattyq.org/a/30064788.html](https://rus.azattyq.org/a/30064788.html)

They have been talking about this stuff for some years, though. It will get
implemented at some point. I have a feeling it was one of their "test trials":
can we boil the frog yet, or do we have to heat the water up a bit more?

~~~
Ajedi32
Are you sure that's really them backing down, and not just a way to obfuscate
the issue? _Technically_ yes, installing the certificate is voluntary; it's
just that if you don't install it you won't be able to access the internet
anymore when the government starts MITMing your connections.

~~~
stirfrykitty
Let's say they make it mandatory. Would it be possible for a group of people
with one having unfettered access because, say, they cross the border all the
time to a place that has full Internet, and they use wget to tar/gzip entire
sites, places this on a server in a city, and provides access with a self-
signed cert that everyone involved with knows about.

Or failing that, some kind of digital dead drop with the files. If this could
be updated a few times a week, that's better than not having access to
material that you don't want the government to know about. It has to be
possible.

------
nurbo
A fellow from Kazakhstan here.

Banning this certificate or at least warning the users against using it WILL
help a lot.

Each authoritarian regime is authoritarian in its own way. Kazakhstan doesn't
have a very strong regime, especially since the first president resigned
earlier this year. When people protest strongly against something, the
government usually backs down. For example, a couple of years ago the
government withdrew their plans of lending lands to foreign governments after
backlash from ordinary people. If Kazakhs knew about the implications of
installing this certificate, they would have been on the streets already.

If Firefox, Chrome and/or Safari block this certificate, the people will show
their dissatisfaction and the law will be revoked.

Sometimes the people in authoritarian countries need a little bit of support
from organizations to fight for their rights. I really hope the browser
organizations would help us here.

~~~
vbezhenar
I really don't like the idea that some third forces would interfere with
internal politics of my country. Browser should work according to technical
standards, not according to what US citizens decided to be good or bad. If
Firefox wants to forbid locally installed roots, I'm all for it, but implement
it for everyone.

That said, I don't see how government would step back. People are uninformed
and generally passive, they wouldn't care enough. So, sadly, it might be the
only way to push back that decision. But I still don't like it.

~~~
pornel
Encryption is political. The technical standards around HTTPS are politically
motivated. The push for HTTPS everywhere, de-facto required TLS in HTTP/2,
eSNI & DoH, were largely a response to the US government's mass surveillance.

However, _who_ makes these changes is interesting. It happened to be mostly
developers in Five Eyes' countries acting against Five Eyes.

Do we need to have elected representatives in browser vendors and encryption
standards bodies? Or given that the elected representatives are for mass
surveillance, would that be any good?

~~~
martingxx
I disagree that encryption is political. Fundamentally, it's a privacy and
security mechanism and on its own it's no more political than locks, safes,
paper shredders or curtains.

Because of the complex, un-intuitive nature of encryption, it mixed
particularly badly with politics, and we're still suffering from the fallout
of that now. (crypto wars 1)

Firefox and other application vendors who use those standards do end up being
unavoidably slightly closer to politics (as demonstrated in this particular
issue now), but I think Mozilla would do well to keep their goal simple -
Protect user privacy where they can and explain to users when they can't.

A notice to the user like "You are using a key known to allow access to third
parties" is just a fact and no more political than "the site you are visiting
uses weak crypto standards" or similar.

~~~
TazeTSchnitzel
Privacy is political.

~~~
salawat
Privacy is apolitical. In fact, it is built into the very fabric of how the
world works.

Does the grain of sand on a beach in Japan know whether or not I've just sat
down in America? No.

Does the merging black hole/neutron star somewhere in the universe know that
it will have consequences for small bags of carbon and water somewhere in the
universe? No it does not.

Do you know what your child is actually thinking when you harangue them for
the umpteenth time? No, you don't.

Lack of privacy/privileged access to information has always been the byproduct
of active human effort. The natural state of things, is for information to
only effect it's immediate locality. I.e. privacy.

Lack of privacy; therefore is the political subject. Subtle difference,
granted, but that subtlety belies the consequences of letting things get out
of hand.

Excessive "awareness" is a problem. There are those that relish the thought
for the power such systems confer; they chant

"I can make you safer!" "You lose nothing!" "There is no danger in this!" "It
is just the sacrifice a Good Citizen should be expected to make for the
Greater Good!"

However, once the check is written, does the government ever relinquish it's
right to privacy?

Nay. National Security. Just trust us.

Never mind that the assertion that led to the sacrifice of the initial liberty
was that there were those amongst us who couldn't be trusted.

Nay, sir, I agree with GP. The breach of fundamental rights (or imposition of
obligation) is the matter of politics, and very infrequently do I see any
credible case made where something as fundamental as breaking the
confidentiality of the most efficient means of communication anything but a
power grab, and eventual tool of tyrannical oppression.

------
gnull
What is interesting is that some local internet providers in Kazakhstan used
to inject their own ads into http websites their users visit. I wonder if they
will start doing the same with https now.

I noticed this behaviour last February with Kazakhtelecom (telecom.kz)
internet provider. When I opened an http website in my browser and started
clicking randomly on the parts of the page which are usually not clickable,
sometimes such click would open a pop-up window with ads. Those pop-ups did
also open sometimes, when I clicked on links of the page. It was unusual,
because I used the same websites just a few days before that from Russia and
nothing like that happened.

To figure out what's going on I opened the same webpage through proxy and
compared it with localy opened one. Shell command for that was something like:

    
    
      diff <(curl http://website) <(proxychains curl http://website)
    

And the only difference was that directly downloaded webpage contained a
reference to some suspicious script in a place, where the proxied one had a
reference to a google analytics script. I reproduced this behaviour with
multiple websites from two different homes, on two different laptops (Linux
and Windows). So this is unlikely to be a malware in my router, and I'm pretty
sure it's not in my laptop.

I'll be back in Kazakhstan in 3-5 days, I'll try to reproduce this once again.

~~~
break_the_bank
This is so bad. I'm from India and at my parents place we have the government
run internet provider. They MITM and inject advertisements all the time
showing annoying popups whenever you open an http link. I don't know how this
is legal even.

~~~
mkagenius
> I don't know how this is legal even.

Legality is secondary when you are punching up in a 3rd world country. (I am
from India)

~~~
droithomme
I'm in the US and I've caught my ISP doing MITM exploits over http (not
https... so far). It's global and regular folks have absolutely no chance of
knowing what is going on. Needs to be criminalized for any hope of resolution.

~~~
_jomo
Comcast has even published an informational RFC describing how to inject crap
into HTTP requests:

[https://tools.ietf.org/html/rfc6108](https://tools.ietf.org/html/rfc6108)

------
jedberg
I find the social aspect of this interesting. Us "smart tech people" have been
pushing https everywhere for a few years now as a way of protecting internet
privacy "for the masses".

And now the government found a very simple non-technical workaround. Send a
message to everyone requiring a government root CA with an easy install, or
their internet won't work.

Now "us techies" have to find a new technical solution to a very social
problem.

It never ends. :(

~~~
stefan_
Except I look at the linked mailing list and you already get "us techies"
arguing "uh yeah but uhm this isn't so different from the corporate CA
intercept thing right so let's not blacklist it uhm".

What the fuck.

~~~
bscphil
Actually, I don't see the issue here. It is literally the same thing as corps
intercepting the connections of their employees or visitors. In fact I trust
my employer even less than I trust the government.

But I disagree with the response that says we should do nothing. In fact,
corporate root certs should be blocked / ignored by the browser in the exact
same way and for the exact same reason. The _only_ exception should be certs
issued for a limited number of domains that are only active in a specific
developer mode that can be enabled by knowledgeable users.

Sure, technological solutions can't solve this issue 100%. (My employer can
also fork a browser.) But acting as if everything is OK when the connection is
being MITMed is wrong and browsers shouldn't do it.

~~~
oarsinsync
> corporate root certs should be blocked / ignored by the browser in the exact
> same way and for the exact same reason ... technological solutions can't
> solve this issue 100%

Technological solutions can't solve this at all if the entire stack is
controlled by the interested party.

In the case of government snooping, you (theoretically) own the end device
being used for access. In the case of corporate snooping, you're using
corporate owned and managed devices. There is absolutely no technological
solution that exists that will prevent another person from building software
for (or selling to) corporations who need to snoop on their employees.
Considering the selling price of appliances that perform these services (e.g.
Bluecoat's range), the cost of a browser is negligible in comparison.

I don't think it's fair to conflate a lack of privacy on corporate owned
devices with a lack of privacy on your own personal devices.

------
mholt
Would someone with network access in Kazakhstan check if Caddy's MITM detector
catches this please? [https://caddyserver.com/docs/mitm-
detection](https://caddyserver.com/docs/mitm-detection) \- or
[https://mitm.watch](https://mitm.watch) (Cloudflare's unofficial deployment
of the same tech).

If it does not, could you file a bug report with a complete packet capture
(and _exact_ browser version - multiple browsers are preferred)?
[https://github.com/caddyserver/caddy/issues](https://github.com/caddyserver/caddy/issues)

(Edit: Reportedly, "not all Internet providers have started MITM attacks yet"
so if you do the test, make sure you are on an intercepted network... if safe
to do so.)

~~~
lame-robot-hoax
So uh, should I be concerned at all if my connection came back as a likely
MITM from my home network in the US? Or is it most likely a false positive
caused by my firewall or something?

I tested it both off a VPN and on a VPN from my iPhone yet still had the same
result both times.

~~~
mholt
iOS is tricky because of its weird rules regarding TLS libraries and web
views. If you are sure you haven't any rogue CA certs in your applicable trust
stores, it's probably a false positive.

~~~
lame-robot-hoax
Yeah no CA certs as this is a personal phone, and I just checked from my
Fedora box and it said MITM unlikely so guessing it’s just iOS being weird.

------
FabHK
The pertinent page [1] of a local ISP, Kcell, is interesting - very devious.

> Kcell JSC informs its customers of the need to install Security Certificate
> on personal devices capable of connecting to the Internet

> Due to the increase of identity and personal data theft, including stealing
> money from bank accounts, introduced a security certificate as an effective
> tool to protect the country’s information space from hackers, online
> fraudsters and other types of cyber threats.

And some FAQs are hilarious (as in hilariously devious):

> What happens if I do not install the Security Certificate? You may have
> problems accessing the Internet.

> Will installation of the Security Certificate affect the protection of my
> personal data? The security certificate has no access to your personal data.

Yeah, true that, literally, but you forgot to mention something there...

[1]
[https://www.kcell.kz/en/product/3585/658](https://www.kcell.kz/en/product/3585/658),
might have to switch to EN in top right corner

~~~
leevlad
Wow, if only everyone was as smart as Kazakhstan and figured out that this
super awersome Security Certificate was "an effective tool" to protect the
entire country's information space. And I've been wasting time with strong
passwords, 2FA, E2E encryption, full disk encryption, etc. /s

------
isostatic
I have custom root certs for internal dev sites for my company. That's fine,
but I'd like to add the root with a caveat that I control saying "I trust this
root for *.mycompany.com,mycompany.org", but that I know means they wouldn't
be able to proxy "mybank.com".

I don't think Firefox or Chrome can do that can it?

~~~
JoshTriplett
I'd like that as well, for exactly the same purpose.

To the best of my knowledge, no browser can do this today, and I don't know of
any other software that can do that either. (I'd want to have it in the system
certificate store with the same constraint, as well.)

Name Constraints, as mentioned elsewhere in this thread, wouldn't solve the
problem, for two reasons: most software doesn't support them (and silently
ignores them rather than correctly failing closed), and they require the CA
certificate to contain the constraints rather than system configuration adding
the constraints.

We need a mechanism to place certificates in a certificate store (browser or
system) with specific domain constraints configured by the administrator. To
avoid the failure mode of Name Constraints, those certificates shouldn't be
accessible to software that doesn't know to enforce domain constraints.

That would also require updates to various SSL libraries (and to browsers) to
handle this new certificate store and enforce the constraints.

~~~
wiml
> most software doesn't support [name constraints] (and silently ignores them
> rather than correctly failing closed)

Could you elaborate on this? Specific examples? CVEs? My experience has been
that most software will either honor them, or honor the "critical" flag, which
is correct (if disappointing) behavior. If you want it to fail closed, use the
critical flag. If you want it to fail open, clear the critical flag.

~~~
JoshTriplett
The last time I investigated this this, several years ago, I found that
several SSL libraries simply ignored the extension entirely, whether it had
"critical" or not. Older OpenSSL did so, for instance.

Doing some additional research, it looks like the situation has improved
significantly now, and name constraints might actually work as designed if you
don't care about older systems.

That still doesn't address the ability for a browser/administrator to apply
such name constraints to a CA that didn't ship as part of its certificate,
though.

------
JaRail
I'm surprised at comments in the bug threads suggesting they do nothing. The
idea being that fighting this would force governments to fork/change browsers,
ultimately being a worse experience for users. Seems like betraying people's
trust is a pretty bad user experience.

There will always be a fight over privacy. Giving up to a foreign government
is a terrible idea. It would absolutely just let the problem spread and get
worse.

I don't think Kazakhstan has the resources to replace outside online services.
A move like this should simply result in them shooting themselves in the foot.
This needs to be a firm line such that it's simply not practical for them to
implement.

I understand that bugs/discussions should weigh both sides. And ultimately, we
may need more than HTTPS. That's fine. The point is we don't just roll over
and give up.

~~~
cpach
If a government mandates its citizens to install the government’s own root
certificate, then it’s not that easy to find a long-term technological
solution. The problem here is not a technical one, IMHO. The problem is that
the government of Kazakhstan is not respecting the freedom of its people.

Point in case: In 2018, Kazakhstan ranked #144 in the Economist Intelligence
Unit’s Democracy Index. Countries such as China, Cuba and Belarus had a better
ranking. [See
[https://en.wikipedia.org/wiki/Democracy_Index#Democracy_Inde...](https://en.wikipedia.org/wiki/Democracy_Index#Democracy_Index_by_country_2018)]

IMO what’s needed is first and foremost more democracy in Kazakhstan. That’s
not something that Firefox can solve.

With that said, perhaps anti-surveillance technology can assist the affected
users. Maybe Tor. I’ve heard about some other, similar project but I can’t
recall its name right now.

[Edit: These where the anti-censorship applications I was thinking of:
[https://www.psiphon3.com/](https://www.psiphon3.com/) and
[https://getlantern.org/](https://getlantern.org/). Can’t vouch for their
security though.]

~~~
krick
I don't agree. First off, no matter how you or me may be enraged by the
incident, this is not (and shouldn't be!) a "moral problem" for the Firefox.
And, by the way, if you are not living in the Kazakhstan, it's not for you to
decide "what is needed first and foremost in Kazakhstan", it's their business
entirely.

From the point of view of the Firefox, this should be an extremely simple
technical problem. There is CA that is known to be "compromised" in an
entirely technical sense, i.e. it is known to allow MITM. So blacklist it, end
of discussion. Allow the user to remove it from the blacklist somewhere in
browser's settings: it's not for you (Firefox) to decide what the greater good
is.

I assume, it would indeed be a problem for Kazakhstan to fixing the service if
people are not using the internet, because their browser doesn't work (because
it's both an economical and a social disaster, obviously). Or maybe it
wouldn't, because Kazakhstan will send troops to every home to replace every
browser by Kazakh-fox or whatever. And it may play out to the better in the
end, as much as it can lead to massacre.

But (as a 3rd party technological company) don't play mighty and powerful,
responsible for the lives of people in Kazakhstan, it's not your fucking
business how they live. You see a technological problem (known CA allowing
MITM) — you solve it (block the CA!). That's what you promised your users to
provide, to fix technological problems, not to fix the political climate in
Kazakhstan, USA, China, whatever.

~~~
closeparen
The certificate is not in the Firefox trust store. The government is requiring
users to add it manually.

------
akersten
Google, Mozilla, and Microsoft need to take a stand here and blacklist these
certs. All of the efforts to move to HTTPS, and all of the rhetoric
surrounding it, are just wasted time and empty words if we as a tech community
allow this kind of behavior to go unchallenged. This sets such a dangerous
precedent, and governments need to know that this kind of meddling will not be
tolerated.

~~~
terlisimo
Hello,

To continue using internet, you need to install our government-provided fork
of Firefox that doesn't blacklist our government-provided root cert.

regards, your Tele2

~~~
mdhardeman
That's exactly what will happen if they all-out blacklist. The best near-term
option may be a compromise: a special indicator in the browser UI that the
connection has been set up in such a way that some organization may be
monitoring.

~~~
baq
for all we know NSA may already be doing that all the time, and they're only
the worst of the good guys.

~~~
mdhardeman
Modern browsers require that leaf certificates which are issued in a chain
which descends from a built in publicly trusted root include "certificate
transparency" information. This means that the certificate has been published
in numerous public logs and so would be discovered.

No doubt the NSA intercepts all kinds of things, but they're not doing it with
TLS MITM technology (at least not without further additional hacks).

~~~
aembleton
That is, assuming that your downloaded copy of Firefox contains these root
certificates and not some different ones.

------
vbezhenar
I'm from Kazakhstan using the biggest Internet provider (Kazaktelecom) and
that's not true for me. No MITM here. May be not yet. Also checked mobile
provider (Activ) and no MITM here too. But I saw local news, so probably not
fake, though I'm not sure if it'll be mobile internet only or all providers.

~~~
Ajedi32
This comment on the mozilla.dev.security.policy mailing list says that right
now it's only for users in the nation's capital:
[https://groups.google.com/d/msg/mozilla.dev.security.policy/...](https://groups.google.com/d/msg/mozilla.dev.security.policy/wnuKAhACo3E/cpsvHgcuDwAJ)

> At the moment, providers started to use the certificate in the capital of
> Kazakhstan - Nur-Sultan (ex. Astana).

So it may not be nationwide yet.

~~~
vbezhenar
> This comment on the mozilla.dev.security.policy mailing list says that right
> now it's only for users in the nation's capital

I'm from capital (Nur-Sultan, former Astana).

I just checked my wife's phone and apparently she got SMS. Funnily enough, her
cellular internet now does not work at all. Probably rollout is not going
easy.

------
wybiral
This sounds very familiar. Oh yeah, 4 years ago:

[https://bugzilla.mozilla.org/show_bug.cgi?id=1232689](https://bugzilla.mozilla.org/show_bug.cgi?id=1232689)

------
privateSFacct
They should just put a red dot on the browser bar somewhere indicating a non-
normal root cert is being used (this would also help in dev / test scenarios).

~~~
taviso
This is actually the subject of some debate, believe it or not, there is a
good argument against it.

Here is the crux of the issue, many TLS middleware providers install their own
root certificate for network monitoring, data loss prevention, security
scanning and so on. I personally would like them to stop doing that or at
least make it obvious to end users it's happening. However, in order to modify
the root store, they must have been authorized to do so by the Administrator,
and it's their network or hardware.

If we try to make it obvious to users that this inspection is happening, these
providers will switch to using alternative methods, such as using Microsoft
Detours - which would be even worse, now you have random vendors patching
security critical code in such a way that is not discoverable for end-users.
This cannot be prevented, because they must already have Administrator access
or they wouldn't have been able to modify the root certificate store in the
first place.

In this Kazakhstan scenario, imagine if adding the government certificate put
a red dot that said "You are being monitored". If the government didn't like
that, they could instead require you to install monitor.exe that had the exact
same effect, but didn't show the dot by patching and hooking all the crypto
APIs. I find this argument against adding an obvious indicator quite
compelling.

~~~
Ajedi32
In this case though, it seems like the government has no problem with telling
people they're being monitored. The fact that they're willing to tell people
to install a TLS certificate is indicative of that.

I think companies in the US are legally required to provide similar disclosure
when monitoring their employees, so I don't see why they'd have a problem with
a persistent indicator like that.

~~~
dchest
_In this case though, it seems like the government has no problem with telling
people they 're being monitored_

Not at all. They spin it as providing security:

"Due to frequent cases of theft of personal and credential data, as well as
money from bank accounts of Kazakhstan, a security certificate was introduced
that will become an effective tool for protecting the country’s information
space from hackers, Internet fraudsters and other types of cyber threats.

...

What is a security certificate?

A security certificate is an electronic certificate that allows to protect
Internet users from content that is prohibited by the laws of the Republic of
Kazakhstan, as well as from malicious and potentially dangerous content. The
security certificate is intended to provide subscribers of cellular
communication in Kazakhstan with Internet access in the most secure manner."

(source:
[https://www.kcell.kz/ru/product/3585/658](https://www.kcell.kz/ru/product/3585/658)
\-- but this text seems to be coming from government, since it's quoted by all
providers).

------
AndyMcConachie
What makes everyone so sure this isn't happening everywhere already?

The problem Kazakhstan had was that there was no existing CA they could
already force to issue certs. So they had to make a new one. It would be
foolish to assume that none of the many trust anchors your browser already
trusts haven't already been compelled by your local government to do exactly
this.

Also, DANE and DNSSEC solves this problem.

~~~
Ajedi32
Certificate Transparency would make it blatantly obvious if any existing CA
were being compelled by governments to issue fraudulent certs.

DANE is, unfortunately, not viable to implement in browsers right now for a
variety of reasons:
[https://www.imperialviolet.org/2015/01/17/notdane.html](https://www.imperialviolet.org/2015/01/17/notdane.html)

~~~
lifthrasiir
> Certificate Transparency would make it blatantly obvious if any existing CA
> were being compelled by governments to issue fraudulent certs.

CT makes such an attack obvious, but the harm can't be undone.

A case study: root certificates for the GPKI, the South Korean governmental CA
primarily used for public institutions, are not included in most browsers
except for maybe IE [1] but frequently trusted due to (still) prevalent uses
of ActiveX controls. It is of course subject to CA/B Forum baseline
requirements [2] and publishes CT records, so you may guess their
"accidentally" invalid wildcard certificates [3] are quickly spotted... Heck
no! It was only noticed 3 years later [4]. No one knows what happened in this
period.

[1] For example, Firefox doesn't include it:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1377389](https://bugzilla.mozilla.org/show_bug.cgi?id=1377389)

[2] [https://cabforum.org/baseline-requirements-
documents/](https://cabforum.org/baseline-requirements-documents/)

[3] For example, [https://crt.sh/?id=6990343](https://crt.sh/?id=6990343)
contains a public suffix `.co.kr` (comparable to `.com`). Note that the BR
contains very strong requirements for such public suffixes, which the GPKI
didn't follow.

[4]
[https://www.mois.go.kr/frt/bbs/type001/commonSelectBoardArti...](https://www.mois.go.kr/frt/bbs/type001/commonSelectBoardArticle.do?bbsId=BBSMSTR_000000000009&nttId=62842)

------
userbinator
I think the most important thing to keep in mind as you read through this
issue and the comments is "be careful what you wish for". No doubt cases like
this will be taken as arguments for making it even harder to install your own
root certs than it already is, meaning that those who run MITM proxies on
their own networks (e.g. to filter out ads even in otherwise unconfigurable
browsers and such) get affected negatively, and it takes away from personal
freedom. Also, don't forget that the pro-DRM and adtech crowd would love for
nothing other than you to get exactly what they serve, whether you want it or
not.

The increasing politicisation of Mozilla is also a concern --- it seems unwise
for it to fight a government, or turn their core product into a platform for
doing so. It's sad to see "privacy" brought up as an argument, and that seems
to be Mozilla's main one these days; I think it's perfectly fine for people to
desire privacy (and my MITM proxy will help with that, by stripping out
trackers and such), and for Mozilla to offer services that do (they could work
on their own VPNs and "firewall busters", for example), but the attitude of
knowing better than the users or forcing them to trust or not trust certain
entities is wrong.

------
jupp0r
So it took them only two weeks to take advantage of Firefox's new policy to
automatically "fix"[1] man in the middle attacks through enterprise/antivirus
CAs. As expected, this "convenience" will make us all less safe :(.

[1] [https://blog.mozilla.org/security/2019/07/01/fixing-
antiviru...](https://blog.mozilla.org/security/2019/07/01/fixing-antivirus-
errors/)

~~~
jopsen
If an attacker can install a CA on the system, the attacker can probably also
apply binary modifications to Firefox.

Or replace it with a compromised version.

~~~
jupp0r
It can be an authoritarian government arm twisting you into installing it
voluntarily, as the article proves.

~~~
closeparen
Which they could also do with software, or even hardware via import controls.

------
Ajedi32
Previous discussion from back when this was first announced:
[https://news.ycombinator.com/item?id=10663843](https://news.ycombinator.com/item?id=10663843)

------
lone_haxx0r
> I think this CA should be blacklisted by Mozilla and Firefox should not
> accept it at all even user installed it manually.

> This will save privacy of all Internet users in Kazakhstan.

No. This will mean that users would simply switch to chrome, edge, brave, ...
, n + 1.

In case all of them block this CA, the government will force people to install
an older version or will patch any open source browser so that it works with
their certificates.

IMO, this is also wrong from a philosophical point of view. Your browser
should just be your browser and not take part in political disputes. It
doesn't sit well with me that Firefox has anything to say in the politics of
its users.

And finally, encryption doesn't solve violence.

~~~
taftster
Yes, exactly.

In the United States, for example, it's legal (even expected?) that
corporations can install custom CAs into their user's browsers and prevent
internet access to any browser without it installed. Is it Mozilla's job to
prevent these CAs from being installed on user's workstations? Should Mozilla
reject any certificate from Blue Snort, etc.?

Kazakhstan has likewise declared it legal (under their own sovereign legal
authority) to prevent web access to its citizens without the required CA
installed. Just like it's legal in the US for corporations to "spy" on their
employees, it's legal in Kazakhstan for it to spy on its citizens.

Laws of Western countries do not extend into other sovereign nations,
regardless of what one thinks of those laws. It's not Mozilla's job to get
involved in this case.

> And finally, encryption doesn't solve violence.

Nor abuse of freedom by nation states, unfortunately.

~~~
jeroenhd
American and European companies and organisations put on loads of protest
against acts like SOPA and Article 13. I don't see why this is any different.

Just because a nation state decides on something doesn't mean that foreign
entities can't protest that decision. Firefox and Chrome can add very scary
warnings to users about government sabotage if they want to; they can even
start including ads for Tor and comparable services if they want to. Blocking
the cert would at most be very consumer-unfriendly to people wanting the
certificate to be in place. If they disagree with a particular browser vendor,
those people can switch browsers or fork an open source one.

Mozilla's job is to provide a safe and open web. The Kazakh government is
opposing that. In this case, it's perfectly in line with Mozilla's mission to
warn users as best they can against the scary precedent their government is
setting.

Of course this only works well if Google, Microsoft and Apple join the effort
to warn users. Google is already showing a constant warning on Android when a
device is being MitM'd and many of their apps do certificate pinning. Facebook
and Twitter do certificate pinning in their apps as well.

I don't see why browsers couldn't take action as well. Just don't show any
green locks during a MitM and show periodic notifications about the users'
security being compromised. Block the certificate if you have to; as a party
people rely on for choosing what certificate authorities to trust, they can't
allow themselves to be compromised by governments enforcing laws endangering
the safety of the web.

------
TazeTSchnitzel
Tele2, a Swedish company and major phone network in Sweden.

Wouldn't be the first scandalous thing in the former Soviet Union that a
Swedish phone network was involved in:
[https://en.wikipedia.org/wiki/Telecom_corruption_scandal](https://en.wikipedia.org/wiki/Telecom_corruption_scandal)

~~~
filleokus
To be noted though, Tele2 has as of recently exited the Kazakhstani market:
[https://www.tele2.com/media/press-releases/2019/tele2-has-
ag...](https://www.tele2.com/media/press-releases/2019/tele2-has-agreed-with-
kazakhtelecom-on-the-terms-of-its-exit-from-kazakhstan)

------
yholio
Can we, endpoints outside Kazakhstan, detect when a MITM client is connected
and serve a boiler plate message "Untrusted connection"?

If enough high level sites do this (Google, Cloudflare, Wikipedia etc) it
might force the hand of the government since they are the ones effectively
breaking the internet.

~~~
arpa
No, mitm is not easily detected on server side. It's a transparent proxy. You
could start serving these messages to whole KZ ip range, though.

~~~
arpa
If someone could enlighten me where i'm wrong, it'd be much more constructive
than simply downvoting.

~~~
knd775
[https://blog.cloudflare.com/monsters-in-the-
middleboxes/](https://blog.cloudflare.com/monsters-in-the-middleboxes/)

[https://mitm.watch](https://mitm.watch)

~~~
arpa
Thank you. An interesting technique, but ultimately very easily bypassed with
minor effort on interceptors' behalf.

------
Tepix
Question to local readers: Is Kazakhstan also blocking VPNs and SSH?

~~~
vbezhenar
Kazakhstan is blocking some websites, including home pages for Tor and popular
VPN services. Also it uses some sophisticated Tor blocking: it establishes TCP
connection but no bytes going there, so Tor client just hangs there without
error or traffic, I wasn't able to unblock it, though I did not try hard
enough. I think that they are blocking connections to popular VPN services as
well, but I don't really know. Without access to their home pages it's hard to
connect anyway. I know that people successfully using some mobile apps as
VPNs, so while they are trying to block VPN, they are not trying hard enough.

I never had any problems with SSH and I operate my own OpenVPN on VPS using
standard port and I never had any problems with it as well.

------
kristofferR
Almost exactly a year ago I asked this:

[https://security.stackexchange.com/questions/189647/what-
hap...](https://security.stackexchange.com/questions/189647/what-happened-
with-kazakhstans-root-ca-mitm-policy)

Guess it wasn't canceled after all.

------
altmind
hmm, certificate pinning will not allow this gov-ca to work for a lot of high
profile web sites. i wonder if these sites with cert pins are whitelisted by
the kz gov?

\--

somehow i missed that HPKP is dead and will be removed from chromium and all
the derivative browsers. now google is focusing on Expect-CT

~~~
lpellis
My understanding is pinning will not block this, locally installed trust
anchors bypass pinning.
[https://groups.google.com/d/msg/mozilla.dev.security.policy/...](https://groups.google.com/d/msg/mozilla.dev.security.policy/wnuKAhACo3E/cbxRVMkxDwAJ)

~~~
vbezhenar
That's correct, HPKP does not block this. If some application uses manual
pinning, it'll work (or, rather, won't work at all).

------
DarkContinent
Could someone explain to me what this means and/or why it's bad?

~~~
coldpie
When you connect to a website via HTTPS, your browser downloads the
certificate from that website and validates it by checking that the website's
certificate was cryptographically signed by an entity that the browser trusts.
If the certificate is valid, then you can assume that your data will only be
decrypt-able by the website owner, so the connection is secure. Your browser
will display a happy green banner showing that the connection is secure, so
you can feel safe sending private data to that website without it being eaves-
dropped along the way.

The browser checks for validity by ensuring the website certificate is signed
by a certificate that is shipped with the browser. These "root certificates"
are usually owned by Certificate Authorities, such as Verisign or any other
number of CAs. CAs ought to verify that the entity creating a new certificate
is who they claim to be (the website owner) before signing a certificate. This
way, you trust Verisign to tell you that you can trust the target website.

What Kazakhstan has done is create their own root certificate and asked people
who live there to install it in their browsers. They are also intercepting any
connection to facebook.com and giving your browser a Kazakhstan-created
certificate, which is then verified against the Kazakhstan-owned root
certificate. Since it will pass this check, the browser shows a happy green
banner, even though the certificate is owned by Kazakhstan and not
facebook.com. In other words, the data people in Kazakhstan send to
facebook.com is now being intercepted and decrypted by Kazakhstan before being
forwarded to facebook.com. Facebook is the example used in the linked bug,
they can perform this with any other website, too.

~~~
snarf21
What prevents us from having to trust Verisign (or its employees) or a
government warrant, etc. to not do the same?

Can we leverage signed DNS records to add another layer of control needed? Do
we also need encrypted DNS where we can choose who to trust? Are we stuck with
the CA trust model?

~~~
JoshTriplett
> What prevents us from having to trust Verisign (or its employees) or a
> government warrant, etc. to not do the same?

Certificate Transparency. Current browsers are moving to not trust _any_
certificate whose issuance wasn't publicly logged. That doesn't prevent an
attacker from issuing an MITM certificate, but doing so would permanently burn
a CA. (At least, once the policies are in place and enforced.)

------
renatello
I'm in Kazakhstan atm, the only solution I can see is to reach Google,
Mozilla, Firefox, Apple, banks and all the other popular platforms and social
media apps and ask them to ban connections with the government-issued
certificate.

This will immediately block their services in the country and will raise
awareness at scale.

[https://renatello.com/mitm-in-kazakhstan/](https://renatello.com/mitm-in-
kazakhstan/)

------
adsadasdas
How does this work technically?

I understand that by making people install the government cert, any website
with a cert signed by that government cert will happily speak TLS.

But, how can they read data transmitted between websites they don't control?
When the client asks for Facebook's cert, wouldn't the government have to
sneak in and show a fake cert signed by them instead? How does that work?

~~~
balowria
It can probably work as MITM. The ISP or whoever controls your net traffic
needs to generate a fake certificate(signed by a trusted root cert) for a site
you are browsing. Refer example in: [https://en.wikipedia.org/wiki/Man-in-the-
middle_attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)

------
Tepix
Just think about this for a minute.

The regime has just painted a huge "X" on their backs.

If you hack the governments servers and steal the certificate private key you
can pretty much rob the entire country - all bank transactions, pins,
passwords etc. will be in the clear for you, ripe for the picking.

This is yet another reason why backdoors are so dangerous, not just for the
privacy of all citizens.

------
filleokus
Does these MITM-middleware softwares usually verify the cert presented by the
server? If not, I guess this could be used to double-MITM the user?

If someone manages to redirect traffic by e.g DNS spoof to some server which
presents a self-signed certificate for e.g Facebook.com, the government-MITM
would just sign that as being Facebook.com.

------
webo
It seems like it's easy to take down the site that's hosting the certs
([http://qca.kz/](http://qca.kz/)). Maybe that's an appropriate response to
this...

    
    
       $ wrk -t 50 -c 500 -d 5m --latency --timeout 3s http://qca.kz/

------
enekdkkeken
Absolute morons. They will break windows updates. You cannot easily mitm
Windows updates. There is additional undocumented check that the CA is from
Microsoft. One needs to hotpatch the windows update dll’s to enable it. That’s
almost certainly one that won’t be intercepted.

------
djsumdog
Have other governments requested their citizens to install country specific
CAs? For some reason, I thought China already employed this practice (although
I guess they wouldn't need to, as they just tend to block everything that
isn't government approved).

~~~
vbezhenar
AFAIK it did not happen yet anywhere, including China. Kazakhstan is kind of
"leader" there. Though I'm sure more countries will follow.

------
Yizahi
Lets say you have this root CA installed on local machine and won't delete it.
Can you protect yourself against https decryption by MITM in any way? Will VPN
help or they will intercept VPN connection too?

~~~
Tepix
Use a browser that doesn't use the CA list of the OS (such as Firefox) and
tunnel all the traffic via a stealthy VPN.

It would probably be illegal and if the regime finds out they'll put you into
jail etc.

------
vkaku
Many of us already trust certificates we shouldn't be.

It's not even this blatant in most cases. About 6 countries have issued
certificates for Google, India being one of them. And they all made use of the
fact that they were part of the trusted root certificates on our systems.

[https://www.quora.com/Why-are-HTTPS-requests-not-
cacheable-b...](https://www.quora.com/Why-are-HTTPS-requests-not-cacheable-
but-HTTP-can-be/answer/Karthik-Kumar-Viswanathan)

------
ElijahLynn
This is being discussed here as well
[https://groups.google.com/forum/#!msg/mozilla.dev.security.p...](https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/wnuKAhACo3E/cpsvHgcuDwAJ)

I like the idea of a permanent, non-removable banner saying "Kazakhstan is
spying on you, learn more here <link to more info>.".

------
arpa
Actually, a dns caa record could be of use in this scenario to at least alert
the client that the traffic has been intercepted. Then again it is trivial to
intercept and rewrite plain DNS requests and dns over https would also be
subject to the same https mitm intercept... Maybe certificate pinning was a
right idea.

~~~
vbezhenar
CAA is for issuers, not for browsers. And yes, without DNSSEC it's easily
spoofed.

~~~
arpa
That is true, however it could be used for CA verification also, could it not?

Edit: RFC 6844 very unambigously states that it can be used for additional
verification:

CAA records MAY be used by Certificate Evaluators as a possible indicator of a
security policy violation. Such use SHOULD take account of the possibility
that published CAA records changed between the time a certificate was issued
and the time at which the certificate was observed by the Certificate
Evaluator.

------
anovikov
I think everyone who is concerned with privacy in states like those, use ToR
anyway all the time. I know people who only do meaningful stuff on the
Internet through an RDP session on a server in Amsterdam, connected to through
a VPN. The rest is just to watch cat videos.

------
peter_d_sherman
This is bad because we don't like it when a foreign government infringes on
foreign citizens' rights, but it may also be good (in a limited sense) because
it might bring a whole lot more public scrutiny (from all countries and their
citizens) towards the issue...

~~~
mdhardeman
This will _not_ be good.

To the extent that Kazakhstan succeeds with this, it will only make other
governments jealous of the capability and want it for themselves.

------
me551ah
Firefox and Chrome updating their browsers to block these certificates won't
also work, since the Kazak government can just fork Firefox and create their
own browser which accepts their rogue certificate. And block all other
browsers which don't.

------
2woowoowoo222
I live in Kazakhstan and have not seen this yet. No MITM according to the
provided tests (mholt)

~~~
austinheap
It's only rolled out to 20-30% of the country right now:
[https://atlas.ripe.net/measurements/22372655/#!probes](https://atlas.ripe.net/measurements/22372655/#!probes)

------
weddpros
Many "democracy loving" politicians today:

"I knew the techies could do it! They told me they couldn't but I knew they
were lies. See! even Kazakhstan can do it, so why can't I also break HTTPS
encryption?"

------
austinheap
At what point does this become an OFAC issue for browser vendors based in the
states? I would be stunned if someone at Commerce isn't already circulating
enforcement memos about this.

~~~
mdhardeman
I think that's terribly optimistic. I think there are all kinds of people in
the US government who would like to be able to point to a success story of a
scheme like this, so that they'll have more ammunition in support of
implementing it here.

As for whether designating that browser vendors can't distribute software to
Kazakhstan, their government would just fork an open-source one, mod it to
pre-include their MiTM cert, and force their citizens to use that.

------
ilaksh
It seems like there is a structural problem in relying on authority (in a CA)
for encryption. Probably by design.

I think ultimately the solution is going to be p2p content-centric approaches.

------
natch
Would it be possible to also blackhole the domains used to host the bad CAs?
Yes they could counter this but it would buy some time before browsers are
updated.

------
worldofmatthew
The best solution would be to blacklist rouge SSL certs.

~~~
vkou
Doing so will make the internet (In Kazakhstan) unusable, because everywhere
you go, you will see an 'untrusted cert' warning.

~~~
worldofmatthew
Sometimes stuff likes this needs doing in order to show how bad MITM is.

~~~
vkou
Okay, say you live in Kazakhstan. You stop using the Internet.

Do you think the government will care?

~~~
novok
If it ruins their economy, yes.

~~~
vkou
99% of the population will happily install the government cert, and life will
move on.

The 1% will either put up with it, stop using the internet, or leave.

One thing will happen though - the economy will _not_ be ruined.

Generally speaking, since the Cold War ended, these sorts of countries don't
mind troublemakers leaving. It's better international PR for them to have
'problem people' leave voluntarily, than to repress them.

~~~
vbezhenar
For example there's no way for my LG TV to install that root CA, so all that
smartness basically rendered useless, unless LG would issue new firmware for
that region and I'm not really sure that they would care enough. I bet that
there are plenty of devices that would stop working. Think about all those IoT
devices. I could imagine some kind of eye surgery laser device to stop working
because it can't connect to its Zurich servers to check license. Yes, it won't
cause revolution, but there will be a lot of issues.

------
daukadolt
Does such a certificate compromise non-browser traffic as well? Like SSH
tunnels, mobile apps, Telegram etc.

~~~
tomxor
SSH doesn't depend on certificate authorities, it's up to you to manage your
own keys, each end point also has a uniquely generated signature which avoids
MITM after first time auth (including by taking over domains).

This is a HTTPS only issue and fundamentally it's the same problem as control
over domains (ease of manipulation through centralisation).

~~~
daukadolt
So that means apps like Instagram are safe to chat in?

~~~
filleokus
Not necessarily.

As far as I know, both the apps you mentioned use HTTPS. However, apps have
the option of doing what's called Certificate Pinning.

That's when the application ignore OS/User trust settings about certificates,
and just allows a list of hardcoded certificates / certificates signed by a
hardcoded CA. Akin to how SSH works (kind of...).

If I remember correctly both Telegram and Instagram have pinned their
certificates, which would probably block all network communication but not
allow for a MITM attack, even if the user installed the KZ root certificate.

~~~
yladiz
I think all Facebook apps do this, and probably most major apps from big
companies. I tried to do some research on what requests the Facebook app was
making on my phone and it was pretty difficult to get it to allow me to use
Charles proxy (when I installed the cert on my phone the app just stopped
working) because of the certificate pinning. The only way this would work is
if the government created their own FB, etc. app and somehow distributed it.

------
kunkurus
Hopefully Starlink will launch soon. Good luck with a MITM attack on a
satellite connection.

------
samat
Does anyone have ideas, who is the tech vendor?

Russians? Chinese?

~~~
Fins
They could perfectly well do it themselves.

------
stratigos
Hooray for firefox! Why use any other browser?

------
hamilyon2
What about iot and embedded systems?

------
eruci
try ssh tunnel

------
edoo
I would actually be shocked if US agencies can't do the same here almost all
the time. There has to be at least one trusted root authority that is
controlled by an agency. Do you remember when RSA made a $10 mil deal to give
.gov a backdoor back in the day. There is no reason any major US based
certificate issuer couldn't do the same, or an employee turned into an asset
to sneak it to them, or they just straight hack the places and get certs they
can generate anything on. You might be able to detect it by logging the issuer
of the cert, the browser doesn't care who auths it as long as it is trusted.
It would be odd for most places to have certs issued by multiple authorities.

------
mdhardeman
I blame, in part, TLS 1.3, E-SNI, and DoH for this.

Previously, a government could monitor what site a user is visiting just by
looking at the TLS session startup. Even if it is hosted on a cloud provider
and 100 different sites are hosted from the same IP, they could look at the
TLS-SNI data in the plain text to choose to interrupt and block the
connection.

A fallback would be to manipulate DNS queries and force all DNS queries to be
directed to official DNS resolvers. But DoH makes that far harder to control.

This is a bluff being called. Tech said "If we make it so that they have to
spend all this money and build a massive scale intercept that actively
participates in each TLS session, they won't buy into the cost."

Costs keep going down for this sort of thing. Now there are large
organizations and governments willing to work on this stuff.

~~~
jedisct1
It's probably completely unrelated.

DoH is easy to block. They can look at SNI and cut DoH connections.

Being able to access all the content is far more valuable than hostnames.

~~~
mdhardeman
We have E-SNI now, where SNI is encrypted. And you have DoH providers who'll
use that.

And then massive CDNs will start to support it.

Some of them might even enable it, with encrypted SNI, on _every single
listener on all of their IPs_.

DoH was designed to evolve into something nearly unblock able. Unless you
active intercept 100%.

Which some people believed no one would pay up for or that it would be
unscalable. This stuff only gets cheaper and easier.

------
nickysielicki
Warning: what follows is completely baseless speculation, and let's concede
that right off the bat.

Who's to say that this isn't happening in the US as well? The US has invested
billions of dollars in dragnet surveillance that is allegedly useless for
anything other than metadata in the context of HTTPS.

Is it out of the question to ask whether our secret courts could issue gag
orders and claim that national security mandates CA root keys? Such a gag
order would only be served to a small group of engineers at large companies,
and those engineers would have no right to report on it. We're talking about
only a few hundred FISA gag orders, and thousands are served annually. It
would make their multibillion dollar infrastructure useful again, wouldn't
surprise me if some (unnamed, anonymous) judge bought the argument.

To employees at vulnerable companies, what's your PKI like? Is anyone aware of
a company that implements strong multi-party checks on accesses to important
private keys? If the NSA wanted your keys, how many employees would need to be
served gag orders? Is it on the order of dozens or hundreds?

~~~
admax88q
If the NSA was using their own certificates to MITM all HTTPS traffic it would
be easily noticed by security researchers. Its not like they obtain the
private keys of every US company. They'd have to make their own replacement
certain for every site they wish to intercept. That could easily be noticed by
security professionals and targeted companies by monitoring.

~~~
nickysielicki
What about just for the Alexa 100?

~~~
Filligree
Far too many people would be able to notice. Someone in one of the companies
would whistleblow.

~~~
24gttghh
But would they? The Snowden leaks were 6 years ago. I am assuming the
government didn't just throw up their hands and give up after that...

edit: not to say they are specifically MITM'ing HTTPS widescale.

~~~
austinheap
There are a lot easier ways to exfiltrate data than wholesale breaking TLS
encryption and MITM'ing 295+ tbps of domestic traffic. That said, every super
power is working on better decryption capabilities.

