To give some context, the reason why they are getting away with such brute methods is that the most people wouldn't understand the full implication. I would be surprised if this would prove difficult to enforce - the first thing an ordinary person would do when, say, Facebook wouldn't load is to call up the Kazakhtelecom's support and the support guy would tell them to "press that button that says 'I trust this certificate'" and they would comply. There also hasn't been an uproar re government snooping into private citizens' communication, the kind that US had with Snowden etc., so a lot of people are likely to accept the "for your own security" talk at face value without much skepticism. It's also unlikely that even heightened awareness will inspire much backlash, as there is no real track record of grassroots organizing, even when the government tightens the screws. To its credit, the government has been quite skillful at balancing at just below the limit of pissing people off enough to make them go to the streets for the last twenty years (soaring oil prices in the last decade helped as well).
That only works in some areas of the world, where a, there is a somewhat free market; b, the free market idea exists in the first place.
As always, like in Perl, there are other ways of doing things; free market is not a universal law.
The fact is that pinning as implemented in Chrome exempts installed CA's from pinning checks because they want to allow administrator-mandated MITM - apparently "market requirement" because it's a common practice in schools and workplaces in some countries that lack reasonable communications privacy legislation.
You may argue that this is is broken behaviour, but that's what pinning currently is in browsers. Seems it's this way in Firefox too ("pinning not enforced if the trust anchor is a user inserted CA, default" - https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinn...)
The other option is to examine and pin the signing certificate. This is more code and more prone to error, but makes your connection slighty more robus in the face of a compromised certificate.
And yes, both techniques work even if a cert in your root store has another certificate. Applications can simply refuse to function, but this has to be done on an ad hoc basis.
Chrome does not perform pin validation when the
certificate chain chains up to a private trust anchor.
A key result of this policy is that private trust
anchors can be used to proxy (or MITM) connections,
even to pinned sites.
The fact that Chrome ships with a broken implementation does not imply the concept is broken.
I don't really agree with that, but it's IMO more useful to acknowledge the confusion, than having an argument about whether Chrome really does pinning or even gets to de facto define pinning or not, since this isn't even about Chrome :)
But still, I would have much preferred if the GP would have started their comment with "yes, but" instead of "sorry, no". That would have made the distinction much clearer.
Also we are talking about apps implementing certificate pinning. Not reading from the OS store etc., and therefore, I don't see Kazakhstan reverse engineering and patching executables.
> most people wouldn't understand the full implication
This is a great example: http://www.wordstream.com/images/what-is-net-neutrality-isp-...
John Oliver: Government Surveillance
Check out the fifth to last page, which is basically identical to what I created, if presented a bit worse. Did anyone give a shit? Nope.
Is that a genuine logo of the fucking ITU, the international body probably most obliged to prevent this kind of shit globally, and was this put together by a "senior staff member of the ITU" rather than /u/quink on reddit? Yup.
Did anything of that presentation make it to the media or public discussion? Nope. Meanwhile, my PNG has been posted here on HN 6 years after I first created it.
Let me know if you need my help, but I'm not at all sure how to best broadcast that message. Keeping away the MITM (who is here employed by an "elected" government with executive powers and "judicial oversight" acting "in the interest of public security" rather than a bogeyman or a corporation) is harder than protecting the ability to consume. Maybe the answer lies in making people afraid for their money.
Anyone with access to the private key for the certificate, which includes anyone with access to the multitude of servers that relay traffic for the entire country, could technically drain everyone's bank accounts and give away your shares at their discretion, if you've ever used online banking or trading in Kazakhstan. A single bad memory or whatever bug in some software somewhere and the number that's the private key is in the open.
In all honesty, make investors and bankers afraid and any government will shut up. As for ordinary lives of people, PRISM has shown us that they don't really care about this security stuff.
>In all honesty, make investors and bankers afraid and any government will shut up.
This is a great idea in general, but it requires a strong corporate/investor establishment that is independent from the government. Unfortunately and unsurprisingly, 90% of the Kazakh Forbes list are either 1) straight up politicians, 2) politicians' close relatives (offspring and in-laws), 3) those, whose involvement with government is "open secret" (e.g. someone rumored as being a president's personal banker), or 4) those doing in oil and gas, heavily regulated industries where government's cooperation is required to make it work. :(
Anyways, thanks for all the insight!
Revolution or leaving the country are your only choices. There is no democracy so there is probably no way to resolve this grievance, and I doubt it would be anywhere near the top of list for most citizens.
You can speak english and probably have computer skills, so I hope it would be possible for you to get out.
Just for the record, look to the US for a good example of how well democracy works for "resolving grievances".
Occupy Wall Street protesters aired some grievances, and were beaten and tased into submission. The same happens anywhere, every time the citizenry actually demands something.
It's kind of amazing how people still hold democracy as some sort of 'value' to strive for, when in reality it's just a PR-facade.
But the point is that the same thing happens everywhere. Not that long ago, Hong Kong's people protested against China appointing their rulers. They were beaten and maced etc.
Brazilians protested against a massive waste of their money on The World Cup (or some such), and got swiftly brutalized by the police. Venezuelans protested economic destruction etc, and got brutalized.
You see, as long as people just endure whatever bullshit their rulers are inflicting on them, the rulers don't have to give a fuck about them. But when people actually resist, they are violently repressed.
Otherwise the masses might start entertaining the notion that maybe they don't have to just take all the bullshit bureaucracy, massive looting/exploitation, surveillance and abuse they're subjected to after all, and their rulers definitely don't want that to happen.
The whole point of being a ruler is exploiting your subjects. Surveillance and brutality are mostly just a part of what it takes to maintain your rule over them.
In any case, my point was that in the Occupy Wall Street case, these things occurred, but they are not what caused the final blow. The final blow was a court ruling that said they have to clear out. (The wording was a bit more subtle, but that's what Wikipedia is for.)
Well, they don't need orders to hurt protesters. Some of them will actively seek out opportunities for doing so, because that's what they signed up for. Those would be the psychopaths, by the way.
Yes, in theory they can get in trouble for hurting people, but in practice we all know they don't.
> The final blow was a court ruling that said they have to clear out. (The wording was a bit more subtle, but that's what Wikipedia is for.)
I have no clue if that's accurate, but it sure would have been convenient for Wall Street.
- A life-long educational program for the people, starting with study of basic logic, rhetoric, and obscurantism. Consider collaborating with people trying to do the same in e.g. Russia.
- Joining the burgeoning autocratic bureaucracy and playing by its rules to bring change from within. If you don't feel like you have the energy or skills, consider supporting a like-minded, but more capable person in their career. It's never a crime to support a growing bureaucrat.
The biggest challenge you're going to face is defining a common idea to unite the people with whom you want to collaborate. "Like-minded" should mean something specific, or else. This idea should paint a picture compelling enough to motivate people to act, even if only a smallish number, and big enough to eclipse the lesser differences among the collaborators.
The only easy option is emigration.
Sure, it's going to be difficult to enforce, but it should also be quite cheap.
Could this get any "better"? Sure! We can even MITM all the OUTGOING https traffic if we want! #GitHubDDoS
* Recently un-trusted by Apple and Mozilla. https://support.apple.com/en-us/HT204938
What does the GitHub DDOS have to do with MITM attacks on https?
To clear it up, I said that GFW "can" do (but has not yet done) these. But it tried to MITM some https traffic earlier with a non-trusted certificate as an experiment.
Imagine if China sent saboteurs in-country to physically destroy infrastructure being used by American businesses. That would Not Be Taken Lightly.
> how that sort of behaviour doesn't constitute an act of war
I really don't understand relationships between States.
Of course, I'd be interested to see how those assets were set up in the first place - my bet would be during a non-rights-respecting period of colonialism.
How far back do you go? (Serious question).
As for nationalisation is certainly a violation of rights do you hold that all eminent domain is a violation of rights? IE if the government wants to build a road and uses compulsory purchase orders it's a violation of rights?
The root certificate thing is 'merely' a violation of the rights of their own subjects.
I guess it's just a matter of dropping every connection that you can't MITM, no?
Only way to avoid is to use some kind of foreign satellite internet or maybe private / non government / non telco dark fibre.
Or you can use non-standard ports, and change them continuously.
This realistically shouldn't be too hard to do with obfsproxy's already-built framework.
s/cat pictures/whatever you want/
For email, you'd encrypt data to have it look like regular prose. So you'd only get a few bits per English word, but that would be sufficient for short messages. Could also make use of extra spaces in between words.
The real trick with that would be to take an existing document, and alter it to encode a message. So you'd be doing things like using synonym choice to get your bits.
The government might be doing what they think is right, but public backlash can change policy almost overnight. We saw this in the US recently with SOPA/PIPA. The "Internet" response was unprecedented.
The people of Kazakhstan can achieve the same outcome.
Nazarbayev, re-elected in a barely contested election to a fifth term on Sunday, was born to a peasant family. He trained as an engineer before rising through the ranks of the Kazakh Communist Party to head it in 1989 and was elected president on the eve of the Soviet breakup in 1991.
Since then, his power has become absolute, with resounding, but internationally criticised election victories in 1999, 2005 and 2011. There is no obvious succession plan in place and there are no clear alternatives to Nazarbayev's rule...
In 2011, however, a pay dispute in the oil sector turned violent with government troops shooting dead 15 protesters and injuring over a hundred
Kazakhstan isn't going to produce a Baidu, but I'm sure Yandex and VK would be happy to fill a void and play along with their rules. And in the end, people just have less access to unfiltered news about the outside world. It's a losing plan.
It's easier to do it in countries where "freedom" was the status quo and then the government decides to do something like that. China isn't exactly a free country to begin with, and the Great Firewall was older than Google in China.
Kazahstan could just use Baidu, but it's really best for Chinese speakers, and it would give leverage to China (which they might be leery of).
From Wikipedia: In April 2015, Nazarbayev was re-elected with almost 98% of the vote.
That kind of tells the whole story - people are "behind" this (or rather no-one dares contradict the authorities). That country is basically owned by the Family and resistance is pretty much futile.
I agree a hundred percent.
People from stable democracies tends to underestimate how afraid people can be of chaos and how easy it is for some goverment to associate democracy with chaos.
When a moderate opposition starts to organize, a non-moderate one (or one that takes advantage of ethnic fault lines) does too.
As to what they can do... it's a range from info to painful, but they can choose a range of options from serving up interstitials in a localized language that explains the issues, problems, and privacy and security implications... all the way to deny service.
If the citizens demand access to those services, or find it offensive that their privacy and security is being violated and circumvented, they will take action.
And these companies can help orchestrate, just as we did with SOPA/PIPA.
Hah, right. They'll just file a complaint to their ombudsman and the Congress will take care of it.
No, this is Kazakhstan, not California. If citizens band up and demand something that the government is against, the police will crack down on their homes, arrest 15,000 people at random out of which only 10,000 or so will return to their homes (not necessarily alive), and the remaining 5,000 will rot in jail for high treason. And if they keep getting wise ideas, they'll send in the army.
The only thing that Google et al. could do is refuse to provide service to Kazakhstan which would only harm the people even more, if you are a dissident you are already taking a huge risk denying people the ability to access information and to connect with others won't help to reduce that risk just only make it worse as it would only isolate them further.
China is doing the same, so do many Gulf nations to some extent or another, no one is arguing that we should not cooperate with China, cooperation is the only real way to effect change in those nations in the first place, or would you think China would be as open as it is today if we would have a technical and cultural embargo over it?
Until they figure it out and start blocking that too of course.
EDIT: or do you mean to replace "all" (content + js)?
And it's not very detectible because they do it all the time.
I own Anno 2070 (as can be seen on my steam profile), but can only play with RELOADED crack under wine because UPlay refuses to run.
Same with this type of encryption: Kazahstan can easily defeat it, but it makes it harder for people trying to debug why they can’t use Netflix (for example, in case that Kazahstan MitM's everything, and encrypts with a different certificate than your Netflix client is using).
One catch: remember that the browser itself absolutely should not be the installed program doing the end-to-end encryption, where bugs can allow the private keys to be leaked. Important data like the private keys shouldn't even be in the same address space. See gpg-agent/ssh-agent as an examples of how to keep sensitive data in a separate process.
That's one of the things that makes securing browser JS crypto so intractable.
If it's an additional source being added much later on that you are concerned with, that's always been a broken design that Douglas Crockford warned about years ago.
This feels like the first bullet in a new war that will occur in every parliament world wide.
Besides these days you can use your own phone and mobile data, at which point you should be safe.
Work for who? This breaks SSL encryption, a technology which the modern internet relies on.
That said, there's a remarkable tendency in countries as corrupt as Kazakhstan for a "shadow" telecom network to pop up. Just run in some fiber from a neighboring country on the down-low and distribute locally via microwave dish. Yeah, it's not exactly difficult to locate a powerful dish, but it's also not glaringly obvious so you can usually pay someone to look the other way. After all, the government officials want to look into everyone's communication, but if their own communication was ever intercepted, they would be the target of blackmail! They want to use the information they gather to blackmail citizens like the Stasi, not the other way around.
Of course, the flip side of that are the mobile phone networks operated by the Mexican drug cartels and ISIS. But the only surefire way to avoid government surveillance of this sort is to bypass government regulated telecoms entirely.
The other neighbours are shining beacons of democracy such as Russia, China and Uzbekistan...
"The strictness of Russian laws is compensated by their optional enforcement", as they say.
In a smaller country like Kazakhstan such things are easier to enforce, probably.
It's also well within Kazakhstan's budget to do subtler, harder-to-defeat things to stop MITM circumvention. This is an arms race that Google will lose.
Other non-windows updates do allow you to install other software.
To set this up, Kazakhstan will have to set up their CA with the bit set for software signing. This bit will be visible by everyone and it'll be very telling instead of just being allowed as a root CA for ssl/https sites.
Not everything can be changed from the beautiful plains of Silicon Valley.
Not sure how this will work with certificate pinning, though. Will sites like Google become inaccessible?
Looking at my mac's cert keychain, there are 185 trusted root certs. I don't know what any of them are or who has the private key to them.
My ISP could MITM my traffic whenever it wants to, if it has the private key of one of the hundreds of trusted root certs on my device.
Further, unlike the Kazakhstan certificate, those root certificates cannot bypass HTTPS public key pinning (HPKP).
> there is a very real possibility of that certificate being blacklisted by browsers
Why would a browser blacklist a certificate? Is it possible for a browser to detect a MITM attack when the SSL traffic is all signed by the private key of a trusted root certificate?
> Further, unlike the Kazakhstan certificate, those root certificates cannot bypass HTTPS public key pinning (HPKP).
You are saying that pre-installed root certificates behave differently than user-installed root certificates? Wouldn't that behavior be system-dependent? I was under the impression that no root certificates can bypass public key pinning... isn't that sort of the point of pinning? That it allows traffic encryption outside of the normal trust hierarchy? What makes the Kazakhstan cert special that allows it to break pinning?
2: Browsers ignore HPKP when the server certificate is trusted through a user or administrator installed root CA. All mainstream browsers on all platforms behave in this way. This is by design specifically to allow enterprises to do the sort of traffic interception that Kazakhstan is implementing. The rationale is that if an attacker is able to get as far as installing their own CA on your system, you're screwed anyway.
And I do not understand that going to jail instantly is a smaller burden for you than living with the small risk getting caught.
Do you really believe the NSA or any of those other patriots do not have a few of the private keys for the certificates you trust?
Instances, plural, including both browsers and various cross-check mechanisms (pinning, certificate transparency, etc). Likely too many people required for operational security.
Not saying it couldn't be done, but it certainly couldn't be done lightly or often, and even then it would produce significant risk of exposure. It certainly couldn't be effectively used for widespread traffic interception.
> And I do not understand that going to jail instantly is a smaller burden for you than living with the small risk getting caught.
As mentioned, there exists legal precedent that a warrant/subpoena for information from a third party can't compel that third-party to provide arbitrarily large amounts of aid or to impose an undue burden. Findings of "undue burden" have been upheld for burdens far smaller than "this has a risk of destroying the entire business".
Issue is that cryptography won't help when there is some government that decide to enforce censorship country-wide.
It allows a server to specify the only set of certificates that a browser should accept. Meaning that MITM'ing is impossible, without a valid cert in the chain of one of the advertised trusted certificates from the server.
Chrome, Firefox, Opera, Chrome for Android, and the Android stock browser all support it.
I'm not sure how they intend to circumvent this problem, apart from perhaps just instructing users to not use those browsers? That's quite difficult to put into practice.
HPKP is great, but it doesn't address this problem.
At the very least, this clarifies intentions and helps somewhat with situations like the Dell certificate where it's not intended for MitM.
After that, IE and Firefox will follow and crypto will no longer be so trivially subverted by enterprise organizations.
If they block custom certificates, then malware will patch the process to disable the checks.
And in this case the Kazakh government could say "For your safety, the Chrome doesn't work with our Internet. Please use our Khrome instead".
I disagree with you.
It would also be a good way for them to start pushing a "two party consent" model for private wiretapping -- It's illegal for my employer to record my office phone because it's a violation of the other party's rights. Facebook has as much a stake in not letting employers monitor employee's social media use as the employees do.
Part of me hopes you are wrong, because I think encryption and security don't need to be opposing forces and MITM isn't required for strong security (though maybe for good GRC and audit).
Which is a blatant security risk, which should be fixed immediately.
> wouldn't be deployable inside large companies that have regulatory requirements to monitor traffic from their own desktops
I guess they don't use ssh?
This claim is complete nonsense, because you are conflating the installing of a certificate with a capability to override HPKP. All those businesses need is a way to add an exception to HPKP. This is no more difficult that any other IT-managed configuration.
The bug here is the assumption that installing a certificate always means HPKP should be overridden. This assumption is patently not universally true, as this Kazakhstan situation demonstrates.
> no benefit
Why is it that so many people seem to forget about the concept of Defense In Depth when one of the layers of protection is attacked?
A physical-key analogy: there is a decent chance the lock on your home's front door can be opened trivially with a bump key, which is an attack against the entire class of traditional pin-and-tumbler locks. The many homes that have such a lock can be entered in seconds. Does this mean that they shouldn't bother locking their front door? No - while it might be a good idea to invest in a better lock, forcing someone to bump the lock has benefits. Someone trying to enter your house might not have the right tool. If they do carry a bump key, that could have legal consequences ("burglar's tools").
Layered defenses help to reduce attack surface and raise the attack cost.
> less transparent
I fail to see how forcing an attacker to patch binaries or otherwise work around HPKP. Doing so will leave clear evidence that the system has been tampered with. On the other hand, a proper certificate has a small amount of plausible deniability.
> it doesn't address this problem
It doesn't solve the problem, but it should be a speed-bump that makes the attack harder, raising the cost of MitM.
If you want to be outraged about it, that's fine. I know other smart people who are also outraged about it.
Remember, though: we largely have Google and Chromium to thank for pioneering certificate pinning in the first place.
Even if pins overrode locally installed certificates, all they would have to do is to block all outgoing raw HTTPS traffic. All these browser-side security mechanisms can do is to refuse to initiate insecure connections (and inform the vendors about broken pins). They can't force a network that is actively designed to forbid private connections to allow them.
You can read more about how Google does certificate pinning here: https://www.imperialviolet.org/2011/05/04/pinning.html
TLDR: Basically, you prove to the website/mail server/sshd that you know your password, while the site simultaneously proves to you that they also know your password (and hence are actually the site you're trying to connect to), all without actually sending the password in either direction. The password is then used to bootstrap symmetric encryption keys.
If a nation-state with the resources of China has come up with a system that can still be (albeit nontrivially) bypassed then I would imagine Kazakhstan will have a much-less-sophisticated first iteration.
Obviously, a lot of people do this kind of thing in China, and from what we know, circumventing the "Great Firewall" isn't routinely getting people killed. But people should know what they're doing before they try it in Kazakhstan.
Porn? Perhaps the world's smut peddlers will become beacons of freedom and civil disobedience? (Sounds like a Neal Stephenson book.)
The worst thing — they just ban sites without any explanation. Site just stopped to work and you don't know why. Even w3.org was banned for some time (probably because its validator could be used as web proxy).
This is the biggest problem when governments go this route.
What makes me kinda angry is however where this originates from: There are countless so-called "IT security" products that had this idea of MitM-ing all traffic before. Basically it's just the same idea on a bigger level.
Here is the text of what was there.
Main page Press center Company News Kazakhtelecom JSC notifies on introduction of National security certificate from 1 January 2016
Kazakhtelecom JSC notifies on introduction of National security certificate from 1 January 2016
From 1 January 2016 pursuant to the Law of the Republic of Kazakhstan «On communication» Committee on Communication, Informatization and Information, Ministry for investments and development of the Republic of Kazakhstan introduces the national security certificate for Internet users.
According to the Law telecom operators are obliged to perform traffic pass with using protocols, that support coding using security certificate, except traffic, coded by means of cryptographic information protection on the territory of the Republic of Kazakhstan.
The national security certificate will secure protection of Kazakhstan users when using coded access protocols to foreign Internet resources.
By words of Nurlan Meirmanov, Managing director on innovations of Kazakhtelecom JSC, Internet users shall install national security certificate, which will be available through Kazakhtelecom JSC internet resources. «User shall enter the site www.telecom.kz and install this certificate following step by step installation instructions”- underlined N.Meirmanov.
Kazakhtelecom JSC pays special attention that installation of security certificate can be performed from each device of a subscriber, from which Internet access will be performed (mobile telephones and tabs on base of iOS/Android, PC and notebooks on base of Windows/MacOS).
Detailed instructions for installation of security certificate will be placed in December 2015 on site www.telecom.kz.
Academy of Public Administration
under the President of the Republic of Kazakhstan
of the President of the Republic of Kazakhstan
Write to us
Report an error
Career with Us
© 2010-2015, АО «Қазақтелеком»
Edit: I think I got them this time. They seem to be ministerial orders under Kazakhstan's 2004 telecoms law:
So, if encrypted by such means on the country's territory, shouldn't be intercepted? Ha!
A web-socket based protocol that opens up a new SSL session with non-MITM'd certificates.
So you'd open up the snoop-me HTTPS/1.1 connection, do some GETs, then say "GET /busy, yo", and start what looks like a video-chat conversation that is in fact a regular SSL connection with uncompromised certs.
(some protocol) over SSL over Web-Socket over bad-SSL over TCP/IP
Ultimately, though it will be very hard to accept, crypto may be on the way out as a technology with any political impact. Governments currently accept the rapid increase in SSL because none of the politicians or regulators understand that it's possible to disable it at a country level, and nobody with any technical clue has been willing to point it out to them. But that situation isn't sustainable, as the Kazakh example shows. A sufficiently determined government won't care about minor details like user convenience. They'll just say "you either install our root cert, or you don't get to use the internet" and that's it. Game over. If even just one western country does it, the rest will all follow within a few years.
How is this protecting users? They are outright lying here, if I understand correctly. Also why are they asking for my location?
Its protecting users from getting visits from Kazakhstan's security services for covertly communicated with foreign entities. That is, presuming that the content of their traffic isn't unwelcome by the security services, since otherwise, even with the use of the MitM certificate, they'll still get visits.
If you are connecting via a mobile phone the address is likely to be registered as at one of the phone company's locations which could potentially be in a different state. For many home/office serving ISPs this is similar. Also, if you are using a VPN of some sort the address you present to the web server is quite disconnected from your physical location.
If on the other hand they request your location via your web access client and you agree, it will be using localisation APIs that may well know your location with some precision: using GPS if your device has it and has it turned on, or via wireless AP availability based lookups otherwise.
However, there is a different kind of GeoIP that has the potential to be much more specific as to the location, based on a join between Internet traffic and transactions that target a specific location. e.g. when you purchase a physical item from an online vendor, with your house as the delivery address, they now have both your IP and location. Obviously for this to work it depends on a) the IP address remaining the same for some period of time and b) sharing of the necessary information to allow the join. afaik both are often true.
The city it resolves to is where my isp has their HQ.
Seems Comcast maps IP (which they issue) to postal address to exact Geo coordinate.
I am sure the NSA does better but Kazakhstan? I have been inside one of their embassies to be shocked that they were watching the news on a black and white CRT TV!!!
But obviously the security as a whole has to consider the increased risk due to the centralized cert, disregarding entirely the fact that you're trusting a totalitarian government with all of your secrets...
Right now, I am very glad that I did not go down this route.
- What will their upstream root certificate policy be?
- If they MITM any old upstream certificate, how will they mitigate the huge target they are painting on Kazakh Internet users?
I don't like it anymore than anyone else, but I see a non-malicious purpose here.
Or is this a different type of cert? I'm thinking along the lines of what Dell and Lenovo were yelled at for (although those were easy to rip off, but the government could possibly serve as the malicious actor here).
But then you're on a mercy of Google Republic.
2) Every other TCP/UDP flow is checked for conformance with plain-text protocols (like HTTP), or far worse, simply for the level of entropy in the data.
3) A threat of legal action is made against anyone caught using secure crypto.
Good luck beating that. The key here is that the "entropy detector" doesn't "really" need to work. It only needs to work well enough to scare people into submission.
I'm not sure how the current status of that warning is, however.
I guess "coded" here means VPN as well...
Wonder how other countries' embassies will be connecting if they block all the encrypted connections? Everything through a satellite connection presumably.
Or just getting official exceptions.
$ http --print h http://telecom.kz/en/news/view/18729
HTTP/1.1 302 Moved Temporarily
Date: Thu, 03 Dec 2015 08:41:31 GMT
So use Linux and you will be fine?
Everything is breakable, but some things take a really looong time to break. Governments might be able to break some weak https encryption, but not all.
At a basic level, yes, any CA can issue a certificate which can be used to launch a MITM attack. We trust that the CAs don't do this. If they're caught, the browser industry tends to revoke their CA status -- which is pretty bad for the CA's business model.
That said, the CAs have been under increased scrutiny lately, and browsers are starting to build additional protections against this kind of thing:
- Certificate pinning (HPKP) allows sites to restrict which certificates can be used for a specific host, even if the certificate is signed by a trusted system root. (Caveat: HPKP isn't enforced for local roots, installed by an admin. That's how Kazakhstan is able to get away with this, because they're asking users to install a new root manually.)
- Certificate Transparency is supposed to provide an audit log for CAs, so that any maliciously issued certificates can be detected and acted on.
That said, these features are new and not universally supported by all browsers. And neither would help in a case like Kazakhstan, where users are being asked to bypass security features and there's no system root to revoke.
Anyone has a copy of original article?
Link redirects to the main page of the website.
It's available on the Web archive: http://web.archive.org/web/20151202203337/http://telecom.kz/...
Don’t bother. Nothing will happen. It’s just talk as always.
It is a very cheap and effective way to achieve this.
Spying on the population is not prevented by GeoTrust and Cie's loosy certificates, a lot of literature and real life examples already show that. This is a tragedy of the commons, until everybody has access to REAL security, then no country has interest in having foreign powers spying them while not even being to do what everybody else does.
In France, Germany, Italy, Japan, Korea, Australia, etc, all of your data is already analyzed and deciphered, they freaking work together to make it less obvious than Kazakhstan. Don't make any mistake and don't call for overthrowing the regime there, it makes no sense.
From a citizen PoV, they became almost as watched over as we are for WWW traffic, but their lives are still not as much tracked as ours since they do not have the means of our agencies. They are still better off than us.
Even if what you said is true and western countries have private encryption keys of all websites I think that citizens of Kazakhstan would rather be spied by foreign governments than by their own government.
Not "ensure". MITM. It provides no security benefits. But it might provide another attack surface for additional malicious adversaries (criminals and other governments).