Hijacking the comment for better visibility. After getting some backlash, the government has already backed down. They claim that installing the certificate is entirely voluntary.
They have been talking about this stuff for some years, though. It will get implemented at some point. I have a feeling it was one of their "test trials": can we boil the frog yet, or do we have to heat the water up a bit more?
Are you sure that's really them backing down, and not just a way to obfuscate the issue? Technically yes, installing the certificate is voluntary; it's just that if you don't install it you won't be able to access the internet anymore when the government starts MITMing your connections.
Let's say they make it mandatory. Would it be possible for a group of people with one having unfettered access because, say, they cross the border all the time to a place that has full Internet, and they use wget to tar/gzip entire sites, places this on a server in a city, and provides access with a self-signed cert that everyone involved with knows about.
Or failing that, some kind of digital dead drop with the files. If this could be updated a few times a week, that's better than not having access to material that you don't want the government to know about. It has to be possible.
Perhaps put all the sites you visit into a text file and loop through them into a date based file or append with date stamps. If enough people did this, you could probably even spot when an entire region is doing something shady or a company was potentially compromised.
They are not backing down, they just saying meaningless words. My wife phone is MITMed right now and she can't open facebook, for example. How is it voluntary?
Banning this certificate or at least warning the users against using it WILL help a lot.
Each authoritarian regime is authoritarian in its own way. Kazakhstan doesn't have a very strong regime, especially since the first president resigned earlier this year. When people protest strongly against something, the government usually backs down. For example, a couple of years ago the government withdrew their plans of lending lands to foreign governments after backlash from ordinary people. If Kazakhs knew about the implications of installing this certificate, they would have been on the streets already.
If Firefox, Chrome and/or Safari block this certificate, the people will show their dissatisfaction and the law will be revoked.
Sometimes the people in authoritarian countries need a little bit of support from organizations to fight for their rights. I really hope the browser organizations would help us here.
Please do post this feedback in the bugzilla bug and the linked discussion thread; this is the kind of thing that helps developers make a more informed decision rather than just speculating on what would help people more.
I totally agree with your point. Blocking this certificate in major browsers or warning users would be of great use.
But there is a minor remark I have to make here. I'm sure you were talking about citizens of Kazakhstan, when you used the word "Kazakhs". The word "Kazakh" actually denotes an ethnicity, not a citizenship. And although Kazakhs are predominant ethnicity in Kazakhstan (~65% of the population), there are many others, and it's incorrect to call them Kazakhs.
Wikipedia suggests "Kazakhstani" as a English term for Kazakhstan citizens. I also saw other people using the word "Kazakhstanians". Maybe one of these two would be a better choice than "Kazakhs".
While technically this is true, it is rare (and sounds nerdy) for English speakers who are familiar with Kazakhstan to actually use the word "Kazakhstani" or especially "Kazakhstanian." The word "Kazakh" is used informally to refer to natives or citizens of Kazakhstan when the meaning is clear from the context. Similar to how "Americans" (which could arguably refer to any North or South American) is used instead of "U.S. citizens." Or "Saudis." At least that was my experience from living in K'stan for 4 years in the '90's.
I didn't know that. I'm not a native English speaker. If this is actually an established way to informally address Kazakhstan citizens in English, then it's OK, I do not object.
But I'm still skeptical about it. I think in my own speech I'll stick to "Kazakhstanian" (despite the word "Kazakh" is so much easier to type). Because I'm just used to make distinction between words "Kazakh" and "Kazakhstanian" when I speak Kazakh and Russian languages (most popular ones in Kazakhstan).
> If Firefox, Chrome and/or Safari block this certificate
For users who are already subject to the MITM, when they try to download a new version of their browser, couldn't the ISP simply serve them a slightly modified version of the new/updated Chrome/Firefox binary which does not blacklist their certificate? It would require a high level of technical expertise, but what could prevent this sort of thing?
If it's on Windows, probably the digital signature[0] of the installer bundle will flag for invalid/unknown signature. For nix you could verify checksums but for Apple, if it's not in the store, I think it's nigh* impossible to do.
If a user trusts this root CA (~ "installs the certificate") then someone who controls the root can now make their MITM look like the real deal, because it's trusted. After all you've said you trust them. Whether you _should_ trust the authoritarian government of Kazakhstan is a policy issue.
On its own the root does not magically intercept the traffic, so Kazakh ISPs will need to do a bunch of (potentially quite expensive) work to actually MITM traffic for the Kazakh government, but with the root once that work is done it doesn't get flagged as a problem.
Because this exact same strategy (root that is not trustworthy is installed) is used in corporate setups to do anti-exfiltration, porn filtering and dozens of other things of dubious value, browsers are designed to let you, or the computer's administrator, choose to trust root CAs and indeed lots of counter-measures that protect ordinary users from bad guys are deliberately _disabled_ in the scenario where you've told it to trust some third party. You know best.
If you imagine a hypothetical system which just doesn't trust this root, say somebody has a Raspberry Pi they smuggled across the border, or more prosaically, they just said "No" and refused to install the root certificate -- such a system just will treat the MITM as an error, your secure web browsing won't work because it can't make a secure connection.
Or contrariwise, suppose you install the root in an otherwise ordinary PC in New York connected to AT&T, it will have no effect because the Kazakh government obviously isn't in New York MITMing your connections to other stuff.
Review and compile the browser yourself, or just trust that someone would have found it by now and trust that your browser vendor knows that and would never do it in the first place unless they wanted to kill their browser instantly
Yes, having a root CA certificate like this installed in a client allows the certificate issuer (so in this case KZ government and anything they authorize ISPs to do) to impersonate any and every other domain. So yes, ALL https traffic to and from that client to be subject to intercept.
It exists to intercept https and potentially other TLS traffic. It exists because everybody can make such a certificate. I made such a CA certificate for my personal use, not to MITM myself, but to issue certificates for some internal services that are out of scope of letsencrypt. Every major desktop OS comes with tools that let you make a CA certificate, Windows does, macos does, linux distro usually ship openssl/gnutls/nss tools (as installable packages).
The challenge is not to make it but to get it trusted by OS and software. The Kazakhstan government solved it by having the ISPs just tell people to install the thing themselves into each and every device you own.
Why does the government want this? To snoop on people. Usually framed as "We need to be able to fight terrorists, criminals and/or foreign enemies who 'abuse' encryption to hide their malicious activities". Tho, a lot of times the government will say all people are potential terrorists, and you just don't know if they are until you start snooping on them.
It's not only a thing with just authoritarian regimes, either.
Australia passed a law which basically forces Australian companies and citizens to add backdoors in any products using end-to-end encryption (thereby effectively disabling end-to-end encryption) so the government can read communication if they want to.
The UK has a law ("snooper charter") that requires companies to "remove or disable" encryption when the government shows up with a warrant.
The US similarly are looking into end-to-end encryption busting legislation. And they already compelled companies to effective disable encryption systems, e.g. when a judge ordered lavabit (then the email provider Edward Snowden used) to hand over their encryption keys and install a government provided device capable of logging all traffic. And let's not forget that for a long time US law classified strong encryption as a "weapon" which meant you could not export encryption easily. Or the NSA e.g. pushing their backdoor encryption-busting PRNG (Dual_EC_DRBG) and weak encryption schemes (Speck, Simon).
German politicians recently started demanding end-to-end encryption busting legislation too, except they said "we do not want to make encryption weaker or insecure, we just want that the companies give us the plaintext data", which once more shows that they didn't thought it was necessary to do the most basic research into how this stuff works before talking.
You can make one on your own computer, give the result to your friends, tell them to connect through you as a proxy, and intercept everything. The tricky part is that browsers are hard coded with a list of a few trusted root certificates to trust. In order for the home baked certificate you just made to do any good, people have to explicitly install it and mark it as trusted. That means you have to distribute your newly minted root certificate and get every end point device to accept it manually.
That's what's so sinister about Kazakhstan's approach: by issuing a governmental mandate for citizens install the certificate they generated, and restricting their internet if they don't, they are effectively bypassing the Internet's current trust system entirely and granting themselves cart-blanche access to all their traffic.
Because it takes nothing but an openssl installation (or similar) to generate one?
Anyone can control a (root) certificate - the problem is getting others to trust it. Legitimate use cases might be: You want to intercept (and decrypt) traffic going from your local computer to SSL/TLS endpoints (affects only you) for example. Less clear cut / nice example: Company wants to read your traffic and therefor deploys a cert like this on your computer, now can snoop on anything you do, https or not.
Anyone can make one. You can make one if you want to. Getting others to trust and install it is the key - and in this case it is government mandated.
It is not uncommon to see this in companies that (for security, regulatory, or other reasons) need to monitor traffic in and out of their network. They have all the company provided computing devices include their self-generated CA certificate and force all HTTPS traffic through a MitMing proxy in order to do the scanning.
In the meanwhile consider using Tor https://www.torproject.org . It has different transports transport plugins available if that will make the traffic look like regular traffic and not Tor traffic.
Tor has been blocked here for the last 10 (or so) years. You have to find and add a couple of bridge servers to get it working, until they get blocked as well, of course.
Noteworthy "I messaged the user my unpublished obfs4 bridge whose OR port is firewalled and the bridge is working so far".
Also, the boxes don't seem to perform a good job in inspecting for protocols tunnelled over HTTPS (https://gitweb.torproject.org/pluggable-transports/httpsprox...).
I really don't like the idea that some third forces would interfere with internal politics of my country. Browser should work according to technical standards, not according to what US citizens decided to be good or bad. If Firefox wants to forbid locally installed roots, I'm all for it, but implement it for everyone.
That said, I don't see how government would step back. People are uninformed and generally passive, they wouldn't care enough. So, sadly, it might be the only way to push back that decision. But I still don't like it.
Privacy is not 'what US citizens decided to be good', it's fundamental human right.
I'm not a Kazakh, I'm Russian, but our politics has a lot in common. And I would say, third forces interfering with politics is not as bad (if at all), as local governments interfering with people's privacy.
Encryption is political. The technical standards around HTTPS are politically motivated. The push for HTTPS everywhere, de-facto required TLS in HTTP/2, eSNI & DoH, were largely a response to the US government's mass surveillance.
However, who makes these changes is interesting. It happened to be mostly developers in Five Eyes' countries acting against Five Eyes.
Do we need to have elected representatives in browser vendors and encryption standards bodies? Or given that the elected representatives are for mass surveillance, would that be any good?
I disagree that encryption is political. Fundamentally, it's a privacy and security mechanism and on its own it's no more political than locks, safes, paper shredders or curtains.
Because of the complex, un-intuitive nature of encryption, it mixed particularly badly with politics, and we're still suffering from the fallout of that now. (crypto wars 1)
Firefox and other application vendors who use those standards do end up being unavoidably slightly closer to politics (as demonstrated in this particular issue now), but I think Mozilla would do well to keep their goal simple - Protect user privacy where they can and explain to users when they can't.
A notice to the user like "You are using a key known to allow access to third parties" is just a fact and no more political than "the site you are visiting uses weak crypto standards" or similar.
Privacy is apolitical. In fact, it is built into the very fabric of how the world works.
Does the grain of sand on a beach in Japan know whether or not I've just sat down in America? No.
Does the merging black hole/neutron star somewhere in the universe know that it will have consequences for small bags of carbon and water somewhere in the universe? No it does not.
Do you know what your child is actually thinking when you harangue them for the umpteenth time? No, you don't.
Lack of privacy/privileged access to information has always been the byproduct of active human effort. The natural state of things, is for information to only effect it's immediate locality. I.e. privacy.
Lack of privacy; therefore is the political subject. Subtle difference, granted, but that subtlety belies the consequences of letting things get out of hand.
Excessive "awareness" is a problem. There are those that relish the thought for the power such systems confer; they chant
"I can make you safer!"
"You lose nothing!"
"There is no danger in this!"
"It is just the sacrifice a Good Citizen should be expected to make for the Greater Good!"
However, once the check is written, does the government ever relinquish it's right to privacy?
Nay. National Security. Just trust us.
Never mind that the assertion that led to the sacrifice of the initial liberty was that there were those amongst us who couldn't be trusted.
Nay, sir, I agree with GP. The breach of fundamental rights (or imposition of obligation) is the matter of politics, and very infrequently do I see any credible case made where something as fundamental as breaking the confidentiality of the most efficient means of communication anything but a power grab, and eventual tool of tyrannical oppression.
Consistently applied standards are good. But if a developer change can interfere with a country's politics, it's because political actors have coopted the developers' work for leverage in their own system. Dev teams like Mozilla's are under no obligation to give a stable platform to anybody's political goals.
I also think there is a risk that Mozilla if blocks the government certs then that would turn all Firefox users in the country into criminals. I'm all for security and privacy, but it is a rough choice between protecting users from surveillance by their authoritarian government or trying to make sure users can follow local laws.
I don't think that we are there. There are no laws to circumvent the bans and in fact a lot of users are using VPNs. The only measures our government is doing is technical ones: ban websites, install DPI, now they apparently plan to MITM on some (or all) connections. But I've never heard about anyone convinced of circumventing those measures. In fact I'm not aware that any similar law exists.
We could be there one day. But now the fight is purely technical. I'm, personally, going to set up dedicated server on online.net and setup proper and fast VPN for all my relatives and friends. I hope that other people would do the same.
What is interesting is that some local internet providers in Kazakhstan used to inject their own ads into http websites their users visit. I wonder if they will start doing the same with https now.
I noticed this behaviour last February with Kazakhtelecom (telecom.kz) internet provider. When I opened an http website in my browser and started clicking randomly on the parts of the page which are usually not clickable, sometimes such click would open a pop-up window with ads. Those pop-ups did also open sometimes, when I clicked on links of the page. It was unusual, because I used the same websites just a few days before that from Russia and nothing like that happened.
To figure out what's going on I opened the same webpage through proxy and compared it with localy opened one. Shell command for that was something like:
And the only difference was that directly downloaded webpage contained a reference to some suspicious script in a place, where the proxied one had a reference to a google analytics script. I reproduced this behaviour with multiple websites from two different homes, on two different laptops (Linux and Windows). So this is unlikely to be a malware in my router, and I'm pretty sure it's not in my laptop.
I'll be back in Kazakhstan in 3-5 days, I'll try to reproduce this once again.
This is so bad. I'm from India and at my parents place we have the government run internet provider. They MITM and inject advertisements all the time showing annoying popups whenever you open an http link. I don't know how this is legal even.
I'm in the US and I've caught my ISP doing MITM exploits over http (not https... so far). It's global and regular folks have absolutely no chance of knowing what is going on. Needs to be criminalized for any hope of resolution.
1. Please stop self-generalizing. This only leads to hopelessness, which is unwarrented since there's a huge amount of Internet-related activism in India, even more than the Western countries.
2. Plese stop using the label "Third-world". You are your own "first-world". There's better labels to describe yourself, namely "developing".
The present judiciary in India lacks spine, on one hand they say privacy is fundamental right on other hand they drag their feet to stop the project aadhaar which required collecting biometric dataset on whole population.
And their defense claims US has SSN which is equivalent of Aadhaar why anyone can see ludicrous
And still Aadhar requirement is not removed for filing income tax return (which results in massive penalities)
Comcast used to do this to me about 6 or 7 years ago to tell me, or someone, about torrent use on the connection and something or other about copyright infringement. They'd inject their messages into the html of websites and you'd have to dismiss them to continue to use the site. Not their site. All sites.
> What is interesting is that some local internet providers in Kazakhstan used to inject their own ads into http websites their users visit.
Several ISPs (including some big national players, not smaller local/struggling/other ISPs) trialled that sort of thing in the UK in the mid/late 00s but there was a big enough ruckus about it that they stopped.
The really egregious thing about what some of them were doing is that they replaced existing ads so were basically trying to take money of the sites (they were at the same time also trying to get sites to pay or be considered "low priority" traffic so were trying to tripple-dip: get paid by their primary consumer, get paid by the sites, and take the sites' ad money).
It doesn't surprise me that it is actively happening in places there is less choice (so "voting with your feet" is not an option for telling ISPs what you think) or public outcry is less effective (or drowned out by more pressing issues the area might have).
I had ads injected by some European and UK ISPs on my own website. I pushed me to finally get LetsEncrypt implemented and switch everything over to https.
I wonder if they also proxy stuff like the Google endpoints where chrome does key pinning, or if they whitelist those. I imagine other large systems like those of facebook (when using the app) and Apple are actively remembering what the keys are supposed to look like. That would mean that even a custom CA wouldn't allow carte blanche MITM.
Chrome will disable key pinning for CAs that are user installed rather than system provided (to support companies/schools who want to MITM for slightly less draconian reasons).
I do wonder if Chrome will go to requiring CAs for this purpose be deployed via something more “enterprise” (e.g. custom extensions on Windows need to deployed via group policy now).
Regardless of where the cert store is, it came with some CA certs "in the box". Pinning applies to these CAs. Any CA's added by the end user (aka person at the keyboard, or enterprise admins, etc) bypass pinning.
For better or worse, bypassing of pinning is required in some enterprise scenarios to inspect traffic leaving the network. e.g. Is someone attaching all our customer data to a email in gmail? To know that, I need to MITM mail.google.com.
”Any CA's added by the end user (aka person at the keyboard, or enterprise admins, etc) bypass pinning.”
But how would Chrome know if a root cert from Windows’ cert store was added by the user or not? They would all be located in the ”Trusted Root Certification Authorities” container.
"The" Trusted Root Certification Authorities store isn't a real thing, it's just a view onto a bunch of different stores that are actually separate, including a local machine store and per-user stores plus of course stores added by your membership of a domain or other grouping.
So Chrome gets to distinguish between certificates that Microsoft added and the ones added by Group Policy or whatever else to your system.
I had a similar experience with my ISP in Canada. Infact, I did a talk on how I worked out what was going on from a technology perspective: https://www.youtube.com/watch?v=_YeaYIPM-QI
If you want to conduct some testing, I'd be more than happy to help.
If I visit https://gmail.com, I expect all traffic to be encrypted because my browser checks that gmail is indeed using encrypted connection. How is this getting intruded upon?
More importantly, suppose I checkin to a hotel in USA as I usually do and use the hotel's wifi. Would they be able to intrude into my connection to https://gmail.com?
Could someone please give me some clarity on this.
The connection is still encrypted the whole purpose of certificates is to verify with WHO you are connected with. In the Kazakhstan case the government by installing a root certificate has the ability to impersonate gmail.
> More importantly, suppose I checkin to a hotel in USA as I usually do and use the hotel's wifi. Would they be able to intrude into my connection to https://gmail.com?
If the site you visit is over https you can be relatively certain that you are indeed establishing an encrypted connection with the domain owner. If it's plain http anyone sniffing in the same wifi can see and mess with your traffic
I find the social aspect of this interesting. Us "smart tech people" have been pushing https everywhere for a few years now as a way of protecting internet privacy "for the masses".
And now the government found a very simple non-technical workaround. Send a message to everyone requiring a government root CA with an easy install, or their internet won't work.
Now "us techies" have to find a new technical solution to a very social problem.
But we are in a better place than before. Without HTTPS everywhere and governments needing to ask people to install new root certs, we would not have learned about this Kazakhstan MITM issue.
No. we just feel better because it just sounds so obviously reasonable doesn't it?
Kazakhstan's low-tech approach is just that, low-tech and low-effort. They could have used tons of vectors besides simply saying "install this cert."
A tiny shred of effort would have been to package an "updater" that did the install without explicitly saying that's what it was for. Or better yet: Kazakhstan is committed to a greener more ecologically friendly future! All tax documentation will go paperless! Just use the provided USB Key to access your documents in electronic format!
A small morsel of effort would be to force it on OS vendors through regulation/licensing/threats/money for localized copies. A good deal of effort would hijack CRLs, pinnings, et al while demanding/sneaking the private keys of the CAs.
Public Key Infrastructure is fucking pointless when the infrastructure is precisely what you can't trust.
No, it's not pointless. This attack was detectable because of PKI. Without it the attack would not have been detectable.
Being imperfect is different than being pointless. Even if you developed the perfect algorithm for global security infrastructure, the Kazakhstan government could still just break down your door and implant the backdoor into your hardware if they wanted. So by your logic should we just forget about this encryption stuff and just do everything in plain text again?
Intel ME is indeed scary stuff, but I think you need to provide stronger evidence if you want to convince us that governments can snoop on anyone anywhere just because of ME.
We still would have easily found out had any of these methods been employed; any uncompromised machines still left in the country when they flipped the switch would start getting TLS warnings.
They could, of course, avoid spying on uncompromised machines to avoid detection, but then anyone practicing good security hygiene would be automatically left unaffected by the government spy program. Plus there'd still be the possibility of detecting malware through other means (malware on client machines is far easier to detect than MITM of unencrypted communications). Not to mention how much more difficult all this would be than simply MITMing unencrypted traffic.
The situation with HTTPS is significantly improved.
> Public Key Infrastructure is fucking pointless when the infrastructure is precisely what you can't trust.
This seems a cynical and lazy evaluation of the situation. No solution is perfect, trade offs must be made everywhere. With the right precautions the average person can have his/her communications encrypted. This is a much better situation than the one we were on before.
Chrome, etc., require that certificates which descend from publicly trusted roots have their certificates published in certificate transparency logs. Someone would quickly notice bogus certs being issued and the associated root would get blacklisted.
This is why certificate transparency is required now - it means that we no longer need to trust the CAs to tell us when they’ve issued an unconstrained intermediate or cross signed a root. Previously it was essentially luck that led to CA malfeasance being detected.
Especially in the post-finally-ending Symantec world the CAs understand that issuing any such cert is likely to very quickly end their business in most other countries.
I feel the real problem kz is going to have is that they have now demonstrated that they will abuse having a root cert, so there is no way any root stores will let them in in future. I imagine they’d even have difficulty getting any of the other roots to issue certs for them (managed sub-ca I think? I forget terminology)
I haven’t immersed myself into the details of the Room 641A scandal, but it does indeed sound awful. I do not approve of the operations of NSA/Five Eyes.
But let my re-phrase my question like this: Do we have any evidence that NSA can perform MITM on TLS 1.3? Using a federal US CA would be one way, tricking a CA to issue fraudulent leaf certificates would be another, but as established elsewhere in this thread, both those ways are quite noisy. Attacking the endpoint is another way, but once Mallory does that, all bets are off.
It's a tough problem because certificate pinning kills a lot of legitimate use patterns; it's not something I'd like to see being the default everywhere.
You mean CA? There are many options depending on which agency and which target you are talking about. They have few options from stealing a CA from a legitimate CA user if the want anonymity or use one that is built in to your browsers or systems somebody else already pointed out in the thread.
It's not a technology problem, it's a social one. If a society values it's privacy enough then it will change.
The real issue is how abstract the consequences of loss of privacy are. It requires people to actually think beyond "I've got nothing to hide".
No worries though. Greedy corporations and governments are greedy and they'll keep pushing the limits of societie's tolerance until it blows up in their face.
I'm less pessimistic. The practical result of this is likely just going to be more business for the cottage industry of Great Firewall VPNs, which already compete with one another in traffic obfuscation against an adversary far more sophisticated than the government of Kazakhstan. Thankfully, this is currently a case in which the incentives of the market happen to align well with the goals of defeating censorship.
> Flag anything that isn't obvious plaintext or already being MiTM'ed for analysis follow up.
The failure being that the long tail of uncategorized data would be large.
Do you have a good reference for what game state updates look like for every game on the internet? What about custom IoT device protocols? Every type of DRM used for media streaming? Document attachments of spreadsheets or database images containing arbitrary numeric data?
How do you distinguish data like that, which outside of some headers may be indistinguishable from random numbers, from someone using the same format or protocol for encoding arbitrary encrypted data?
In an authoritarian state, you just start blocking and breaking things.
Everything you don't understand, you block. And then you make the user explain it to you and then if it's a use case you care about, you do the work to either decide it doesn't have any danger of carrying traffic you care about or build an intercept scheme for it.
Ethernet can carry protocols other than IPv4. IPv6 is one of them, but there were at one time a whole slew of them, like IPX and Appletalk. But ISPs don't carry them, so they're effectively blocked and have largely died out, and everything uses IPv4 or IPv6. Even if you want to use Appletalk today, you encapsulate in IPv4 or IPv6.
There are also a whole bunch of IP transport protocols other than TCP and UDP, but firewalls have a tendency to block them, so today people just encapsulate everything in TCP or UDP.
There are a lot of TCP and UDP ports too, with their own protocols, but those darn firewalls again, so now everything is increasingly using HTTP[S].
The things that get blocked never go away, they're just made to look like whatever is still allowed. Yes sir, Mr. Firewall, this is Hypertext Transfer Protocol over SSL on TCP port 443 using IPv4, which is approved for intercept.
Except that it's really email and games and file downloads and whatever else, with things added daily by everyone on the internet, and no reference for what all of that plaintext is even expected to look like.
So you say you're going to get a DPI classifier and try to distinguish all these different types of HTTP. Except that whatever you exclude will soon be right back encoded as formats and protocols you allowed, because information theory says you can encode anything into anything.
And it gets harder to distinguish them with every iteration, because what you're really using to distinguish them is their encoding inefficiency -- it's the things that are always the same for a given class of data, even though the relevant part of the message is the things that are different. The end state of all of this is that the real entropy is all that's left and there is nothing there to distinguish with anymore.
I'll be 40 years old later this year. I've been interested in communications and communications protocols since I was about 12. I've been a software developer with a focus on network communications for over 15 years.
I'm well aware of all that you've said.
My point was, they get TLS interception down, and they capture what they want from a target of interest.
When they look closely at your traffic and decide all these cat gifs have too much or too little entropy in the data that forms their pixels, they simply (if they're courteous) say, "Persuade me that you did not know that this app was helping you hide messages back and forth. Persuade me or we shoot you now." And then they shoot.
I could split hairs and suggest that the browser accept the phony CA and simply use a secondary encryption layer on top of it, but that misses your point. A sufficiently clever evil government will see that you're doing something encryption-like and shoot you.
But, being "sufficiently clever" isn't all that easy. China has done a good job, but they're a very big country with a lot of resources and a lot of very smart people, and let's be honest, even as good as they are, anyone with a will to get that censored information will get it.
It costs a lot to censor people on the Internet. The goal of people like me is not to stop the most determined, intelligent censorship approaches, but rather to make them as expensive as possible to build and maintain.
My ideal is force governments to either accept the Internet without censorship, or almost completely disconnect from the Internet (and simultaneously deny their nations the competitive advantages that come with it). North Korea is a good model. They basically don't have Internet in North Korea. It's sad, but I can live with that; it's better than allowing an oppressive regime to benefit from the Internet while oppressing their citizens.
"Sufficiently clever" has historically been more expensive than difficult.
For example, in order to scale less expensively, the Great Firewall is architected such that it need not actively be in the middle of the entire flow of traffic and need not actively proxy. Historically, they didn't need it to do so in order to achieve their goals.
Now, however, the advancement of a combination of new technologies is finally closing that gap.
In order to maintain historic blocking capability it becomes necessary in the long run to actively MiTM all the connections.
But that can be made to scale and there are nations who can afford it.
How do we know? Because the job is not significantly harder than serving up all that content. (At worst it's a little more than 2x the work.)
And today most content is served up from a handful of privately owned infrastructures. If a corporation can build it, so too can a lot of nation-states.
You're proposing that the penalty for being suspected of subverting the firewall is death. In those cases you're going to want a highly refined system for avoiding detection, and it's also very important that one exist, because regimes that oppressive deserve to be opposed.
Fortunately the more typical case isn't kidnapping and execution but only having your connection blocked, which creates a helpful feedback loop that enables continuous improvement in the ability of secure communications to avoid detection. Which benefits everybody, but especially those in violent authoritarian countries that need it all the more.
No disagreement here. What's being done is despicable.
Rather than death, if we look at the history of oppressive societies, the more likely outcome is a job offer, the kind they won't let you refuse but they'll make it so you don't want to refuse anyway. They find the clever people who are working around the filters and interception and hire them to be the watchers. They get perks like time to spend on a real private connection, etc. Meanwhile they are required to contribute to making the noose ever tighter.
> You're proposing that the penalty for being suspected of subverting the firewall is death.
no, he's being hyperbolic to make the point that in an extreme situation, a default-deny approach could facilitate mass suppression of 'undesirable' traffic without creating an insurmountable backlog of traffic for the 'bad actor state' to review in determining what to process further.
> no, he's being hyperbolic to make the point that in an extreme situation, a default-deny approach could facilitate mass suppression of 'undesirable' traffic without creating an insurmountable backlog of traffic for the 'bad actor state' to review in determining what to process further.
Only it doesn't, because as soon as they allow anything, everything else starts to look enough like whatever is still allowed to make it through, because that's the only way to make it through.
Slashing away more things only increases the resources people will put behind making arbitrary traffic look like allowed traffic. It trades not having to review everything for having to fight everyone instead of only the people they want to block.
Then some people win, everyone copies the winners' methods to get through, and you're back to square one only now everything looks even more like everything else than it did before.
In that case, the old field of steganography might become useful. Embed illegal content within legal content and figure out another means of sharing the decryption scheme.
> Everything you don't understand, you block. And then you make the user explain it to you and then if it's a use case you care about, you do the work to either decide it doesn't have any danger of carrying traffic you care about...
You say "authoritarian state", sounds to me like the network at many employers and institutions in the US!
> An agency is tasked with doing random sample captures
not really, we know exactly what the government response is and it's turning citizen one another, that applied with the gestapo back then and it's happening today with the "social credit system"
why do all the random sampling work if all you need is one "regime believer" among a hundred person or so to maintain full awareness of dissident activities.
One of our ("tech people") main failures was that, while we made a heavy push for server authentication, we didn't make a similarly strong push for client authentication. With client certificates, MITM like that is not possible, unless the server also trusts the MITM CA to authenticate its clients (and uses a CA for the client certificates in the first place, instead of a direct mapping between users and their certificates).
Using CAs to authenticate clients is subject to the same attack. They block communication from any client that won't disclose its private key to the MITM box or use it to encrypt/sign whatever the MITM requires it to.
You can't have security if you have a MITM that says "compromise your endpoint or we block you" and you concede to that. The only real solutions are either political or making the encrypted traffic look like some permitted traffic. (Or using a different network.)
> Using CAs to authenticate clients is subject to the same attack.
You don't need to use a publicly available CA to verify client-side certificates. The server could use its own internal CA to sign CSRs from clients and send the reslting certificate back to the client via email or some other means.
In which case the MITM will be unable to connect to the server because it won't have the certificate (that you sent via email or some other means), so the service simply won't work. That's the whole point, you either go through MITM or not at all.
Somewhat related: if there were a shared password between the client and server, Password Authenticated Key Exchange techniques [0] could offer protection even when the server CA was compromised. PAKEs use zero-knowledge proof techniques to assert that each side already had password material (and derive a key from it) without revealing what the actual password was if the other side didn't have it to begin with.
In this case, only connections where a password was already agreed on would be protected vs. general unauthenticated browsing.
There was a draft proposal to add PAKE support to TLS 1.3, but it appears to have unfortunately expired [1].
TLS 1.3 was in some part an exercise in removing crap people thought might be a good idea in earlier versions, but then either never used or turned out to be a terrible idea but was notionally "optional" so you could say to keep using TLS but just disable that feature. So there is skepticism pre-existing in that room against the idea of just adding more stuff than might be cool unless it's clearly _needed_.
A feature that keeps six people in Kazakhstan (who happen to have manually pre-configured a PAKE) safe but everybody else is still screwed isn't the sort of impact TLS 1.3 was looking for.
Email is similarly unencrypted by default and can be blocked if encrypted and being used as an active circumvention vector. Yes, mail servers outside the jurisdiction could work until https access to gmail is also blocked- but that’s not outside the realm of possibility (see: China) and also begs the question: how do you get to your secure gmail web interface if you need to receive a secure email before your first login?
This is why I'm always advocating for political engagement for fighting these kind of issues. It's not exactly hard for a government to ban or forbid circumventing their monitoring. It does take time, but they're about to catch up.
It’s far harder if you have a major tech industry to push back and the whole massive security risk this exposes big corporations to. Which is something Kazakhstan must not have much of.
This is also terrible for foreign investment and attracting business. It also makes foreign intelligence’s job easier.
You’ve got their priorities mixed up. Staying in power is more important than foreign investment if you’re an authoritarian government. What’s the point of growing the economic pie if you’re not in a position to profit from it ?
Now if you’re a politician in a democracy, you know it may be all over in about 8 years, so it’s more your interest to cosy up to the companies
It’s rare for a politician to only work 4yrs at the policy making level. Most of them are career politicians these days or retired wealthy people, not people with regular jobs giving politics a shot. Yet they all seem to be wealthy in the US, even after years of public service, regardless of their overt stance on business politically. Which is something the big firms can always rely on.
Except I look at the linked mailing list and you already get "us techies" arguing "uh yeah but uhm this isn't so different from the corporate CA intercept thing right so let's not blacklist it uhm".
There's a broader reason. If the normal browsers break this, the response will just be that they do their own national fork of an open-source browser and distribute that to their people.
The downside of pushing them to that is that that browser will be unlikely to get regular security updates and will likely hide the interception.
Actually, I don't see the issue here. It is literally the same thing as corps intercepting the connections of their employees or visitors. In fact I trust my employer even less than I trust the government.
But I disagree with the response that says we should do nothing. In fact, corporate root certs should be blocked / ignored by the browser in the exact same way and for the exact same reason. The only exception should be certs issued for a limited number of domains that are only active in a specific developer mode that can be enabled by knowledgeable users.
Sure, technological solutions can't solve this issue 100%. (My employer can also fork a browser.) But acting as if everything is OK when the connection is being MITMed is wrong and browsers shouldn't do it.
> corporate root certs should be blocked / ignored by the browser in the exact same way and for the exact same reason ... technological solutions can't solve this issue 100%
Technological solutions can't solve this at all if the entire stack is controlled by the interested party.
In the case of government snooping, you (theoretically) own the end device being used for access. In the case of corporate snooping, you're using corporate owned and managed devices. There is absolutely no technological solution that exists that will prevent another person from building software for (or selling to) corporations who need to snoop on their employees. Considering the selling price of appliances that perform these services (e.g. Bluecoat's range), the cost of a browser is negligible in comparison.
I don't think it's fair to conflate a lack of privacy on corporate owned devices with a lack of privacy on your own personal devices.
Yes? This isn't that complicated. You break it, and when competitive browser X refuses to do so, you sell the idea that browser X is compromised for all users everywhere (not just in Kazakhstan)
Stop thinking about the country with literally less than 1% of world internet users and start thinking of the reputational damage a less than charitable presentation of your collaboration with a totalitarian state against your users would do to the other 99%+ of your market.
Apple is openly collaborating with Chinese regime, including allowing the government to snoop on all Chinese traffic, yet they still have a high reputation for privacy. This just doesn't work, people don't give a shit about other countries.
Which is bad news for the ~15m internet users in Kazakhstan. For the ~4000m internet users not in Kazakhstan & generally immune to their rubber hose attack, protecting them from being one BGP fuckup away from being MITMed by a hostile foreign power is much more important.
If you want to put a stop to things like this, then you have to. Complaints from companies and the general population should be enough to fix the issue.
Is it better to be complicit with an authoritarian regime that is actively spying on their people, in order to have a marginally larger user base? I don't think so.
In fact, you're making it worse because you're giving legitimacy to a government that is conducting actions which we shouldn't consider acceptable. If the US government started doing the same thing, I would really hope that browsers would block those certificates too.
Will oscp stapling be able to be used to detect "something fishy" going on, because in that case the root ca wouldn't actually match. Do browsers compare the oscp root with the root of the current chain?
Actually, if it's mitm it's "all bets are off" isn't it, because the KZ government can filter that it out the proxied response?
Still, if oscp can assist at all, it's probably worth it that the browsers check for mismatch (if they don't already)
Browsers always trust manually installed CA roots, because that scenario is used by many corporations to monitor their traffic. OCSP, HPKP, etc won't help.
There are more benign uses too - many organisations run an internal PKI, and installing their root CA prevents employees' browsers from displaying warnings about untrusted certificates when accessing internal web apps/sites.
You might be able to make intranet.company-name.tld and have a parking page on the company-name.tld and use that to get a wildcard cert that can be used for the internal pages.
However you would have a single wildcart cert + key that would need to be placed on thousands, or tens of thousands, of machines, by hundreds of staff is dozens of departments.
It would be meaningless.
I can prove ownership and then receive a wildcard certificate for *.internal.company.com, usually by a TXT record or similar (lets ignore EV certs for now), however that certificate isn't an intermediate certificate which is limited to signing new end certificates for blah1.internal.company.com, but wouldn't be able to sign for blah1.not.company.com.
I'm no SSL/TLS expert by any means, so please let me know if I'm wrong and it is fairly easy to get intermediate certificates that are domain name limited - x509 constraints are apparently flakey.
I don't think it's a bad use. When I logon to my SAN or UPS web interfaces, I don't want to type https://ups01.publicDNSdomain.com, and visit a site with a CT logged certificate. It's an absolutely internal thing and every Active Directory domain already has an (ideally) non-externally resolved DNS domain setup for use. You've already got an internal CA and deployed your own root because there's a series of Microsoft services that work best this way, so it makes a lot of sense to continue to use rather than trying to introduce Lets Encrypt in this scenario.
You don't have to serve that website publicly or even set up DNS records. You only need to set up DNS verification to serve one public TXT record for letsencrypt. Everything else could be internal. Letsencrypt certifies that you own domain. You can do anything with that domain.
Sometimes you don't want to make that information public though. For security (you don't want to publish your whole tech stack information) and secrecy (you don't want to publish registration of halflife3.internal.valve.com).
Wildcard certs are a security ops nightmare. You really don't want to throw the private key for that around to every small project, and you need some good, automated way of rolling them across multiple services. Doable, but if you can avoid this, it's a better to avoid.
This 100x - in just about any organisation of any size, if you use a single wildcard cert for all internal services, then it's inevitable that the private key will end up in the hands of an employee that shouldn't have it.
Well, it's unnecessary work to install and maintain that internal CA. Keeping CA key safe is very important, because leaked key might lead to your internal connections to, e.g., Google be compromised, so it's like keeping a bomb inside your building. If you already have that internal PKI, you can use it, sure, but I still think that it's a bad idea to use it only for internal websites.
> Letsencrypt solves any need for legitimate certificates.
... unless you want any private keys to be personally signed and or generated by bob & alice over in security after checking some boxes in an internal audit form, or any other number of company-internal schemes involving signing and encryption of business-specific data
You're generating private key securely. You're generating CSR which contains public key and signed by that private key and now you need to move that CSR from private location to a public location. But that's not bad, it does not contain anything that could be compromised and your private key is kept safe. Then you're using letsencrypt to issue that certificate using that CSR and keep using that CSR (it does not expire) to renew certificate. All that time private key is kept in safety and is only used by your webserver.
Letsencrypt allows you to generate legitimate certificate for internal websites without any compromise on security.
The only use-case that's not possible with Letsencrypt is to issue certificate for IP address.
Letsencrypt only issues certs for publicly accessible hosts. If you've got a bunch of intranet servers / REST services / whatever that are firewalled from the public internet, you're out of luck.
For mobile apps, though, you can bootstrap HPKP with a key built into the app. I worked on an app doing this, and it would certainly fail to connect in this scenario.
One solution is to use Name Constraints. The organizational certificate authority could be issued with Name Constraints limiting its power to a certain domain name only, e.g. *.example.com, using Permitted Subtree.
If I was setting up an organizational CA for internal websites (not MITM), I would consider using Name Constraints to limit the certificate's scope and potential for abuse or compromise.
> Now "us techies" have to find a new technical solution to a very social problem.
Cert pinning does mitigate it for apps, doesn't it? The end-user doesn't need to really worry abt rouge root CAs, if my understanding is right.
Traditional VPNs, P2P VPNs, Tor as a Proxy (decentralised net? dat/i2p/freenet/ipfs) could solve it generally across various use-cases, of which, VPNs are already mainstream.
> Cert pinning does mitigate it for apps, doesn't it?
Applications where the developer has pinned to their own certificate will stop this attack.
Chrome and Firefox will ignore pinning for locally installed CAs. This is a very common use case in the enterprise where, for example, a bank has audit requirements to decrypt and store all workstation traffic.
It'll "stop this attack" by ensuring that the app won't work through the MITM - so it won't be able to connect from any Kazakhstan users unless/until the pinning is removed.
Not necessarily. We have rolled out SSL inspection at my company and have to exclude certain apps (e.g. Dropbox, Google Drive) or else they won't work. The FW just blocks the connection and the user gets a SSL/TLS error.
Sure, but then instead of the government saying "hey, run this thing or else your app won't work," they can only say "your app doesn't work now." Spying on you is still prevented.
I dont think pinning will work with for example letsencrypt. You can pin many certs but if you loose them all you are screwed. If you check your root cers you will likely find one from every major ISP in your country.
You would usually pin an intermediate, so for Let's Encrypt that would be Let's Encrypt Authority X3 (it might also make sense to pin Let's Encrypt Authority X4 as a backup)
And er, no, the overlap between operators of public Certificate Authorities and national ISPs is very small. There are only 57 root CAs trusted by Mozilla.
You don’t need to pin against a state. Just deselect Kazachstan as a region where your app is offered, because it’s not going to work anyway if you try.
The solution is to warn users that their security+privacy is compromised, and let them make their own informed choice. Techies don't often see that their own wishes shouldn't trump those of individuals (but maybe we're getting into politics now)
Another technical solution would have been to allow security without privacy. If the purpose of the government actions is just to monitor content, you can enable that without disabling security. The HTTP protocol could be modified to transmit checksums signed by a cert, so that a client can verify that content has not been modified, but that content can be (optionally) not encrypted, but still no content-injecting attacks can take place.
But privacy advocates don't like it, so the result is either you have total security + privacy (such as it is), or none at all.
Unfortunately governments like that will continue to do low effort workarounds as long as they have police and military forces to respond to those who don't conform.
Everything can be justified by national security. You can't try and block something with "an end-less series of law suites" if the defending party doesn't even need to provide any kind of proof. "Why are we MTiMing HTTPS? This is un-constitutional! -- Because internet is a threat to national security which in turn has higher priority than your rights, Citizen!. Everything else is classified and will be discussed in a closed court." Take a wild guess what that court is going to decide...
Aren't some US providers (Comcast, Verizon?) injecting nasty tracking/advertising into HTTP pages?
That's extremely worrying as well and it appears politics so far are unwilling to make it illegal. There needs to be more protest and more competition so consumers can vote with their wallets.
Maybe this sort of interruption is manageable when half of your 18 million people are rural and the economy isn't heavily dependent on internet traffic. Try doing this in a more urban populated country and you will see a much different outcome.
The goal here is to validate that one is communicating with whom they think they are. That's as pure a technical goal as you can get. Oddly this is still an unsolved problem on the internet. BTW any solution to this problem will be attacked or shot down by governments and companies around the world.
I was certain I read a few years ago that Google would mandate that all OEMs would be forced to use a single unified certificate list, which I thought at the time was a way to pre-empt this sort of thing. But I can't find any new info about that anywhere. I only found an article about how to add new certificates on new Android versions in 2019, so I guess you can still change them.
I wonder if Google changed its mind about this once Sundar Pichai took over and then gave Project Dragonfly the greenlight.
It's just the way this universe works. The struggle is eternal. Probably built into the root parameters of the Big Bang, if you could somehow trace it that far back in time and causality (which you probably can't, I dunno).
We need new measures to not allow these certificates to be installed unless they're verified, or at least the OS shows a massive giant warning "DO NOT DO THIS unless you accept this cert gives $identity access to all your data".
I mean, the choice being presented is to install the MITM cert, or to not use the internet at all. The latter is an answer, certainly, but not what I would call a very good solution.
It's a common meme that users will click "yes" to everything, but I'm not sure people realise just how far that goes. Look how it looks when Chrome marks a site as malware:
Wait until you're doing forensics on a cryptolocker outbreak and you find not only did a user do that, but multiple users helped her through it and the management then praised her for overcoming technical barriers even after it was found to be the cause of the incident.
Unfortunately nothing about warnings makes anything a solved problem.
Which is, tbqh, a useless solution. Oh wow, now an attacker just has to include some obfuscated javascript encryption lib. Bam. Exfil detection completely bypassed.
For example corporations might want to make sure that worker is not sending e-mails with confidential data from its gmail. Sophisticated thief surely will circumvent that kind of protection, but a lot of thieves are stupid, so simple measures actually work.
If they're scrutinizing you closely, I would not trust my life to it. If the hash of the cat gifs you're exchanging is different from others, eventually there's going to be too much or too little entropy in those pixels and they'll make a strong statistical case against you.
to be fair some of us told from the beginning that making all user used to trust the green check would have caused this sort of trust fatigue to the point the majority would have stopped bothering with the actual certificate content and trust chain, and you can search my history highlighting this very issue in relation to let's encrypt, it was a social issue from the very beginning and I got downvoted heavily and repeatedly because apparently "techies" can't be bothered with exceptions and failure modes once a catch all solution is found
We don’t want users to trust the green check, because it never meant you could trust a site. We do want users to distrust plaintext, because it means the café you’re visiting can steal your password. I don’t see how this is a good criticism of the push for HTTPS everywhere (which appears to be the context here).
because cafe can just ask people 'install this extension to navigate' and non-tech users being users will fall for it most of the time, because state actor can do even worse, and once we trained the users that non green check is dangerous they won't have the knowledge to distinguish between "insecure with no check" and "maybe secure with check but I've to control every time the details", people will shortcut that part, until some researcher finds our for them and even then it's not guaranteed that the message will reach everyone
Exactly - this is why we don't want to train people that non-TLS traffic is insecure, but rather keep them from encountering it, ever, ideally. TLS must be the default- a baseline- and deviating from that baseline must be at least as hard as getting a user to install a malicious extension.
Ever SSHed into a server and been told by your SSH client that, oh, by the way, the server is using the NULL cipher with no authentication, and network attackers can mess with your session arbitrarily? Probably not. That's what using plaintext HTTP should feel like.
I think you're missing one important detail: the idea behind the green padlock is that the average end user isn't technically capable of (or shouldn't have to) monitor all the details of their internet connections to make sure they're secure.
If that basic intuition about users is correct, the solution is not to give up on this and force users to deal with the true complexity of the situation. The solution is for the browser to show a red blinking INSECURE instead of the green padlock when the cert it receives for a site doesn't have a valid chain to a root in the default key store shipped with the browser.
To be honest, I can't figure out why this isn't already the default behavior. It would solve a bunch of other problems as a side effect, including insecure crappy antivirus programs that MITM your internet connection.
if they can force a cert into your os trust store they can force a cert into your browser trust store, this solves some very specific issue but not this one.
this is kinda rich under an article where they forced a cert into the is trust store. it takes the same amount of effort to get the cert into browser specific stores because these need to be editable and an installer get control of the system anyway
"it rather involves being already at the other end of this airtight d doorway"
the current page ask the user to run an installer, elevating privilege. there's nothing a browser can really do against that. DLL can be replaced and signatures can be tempered etc.
just because you said "ship them with the browse" doesn't make you magically right nor safe under the linked threat
Alerting the user when a MITM certificate is active in the trust store is relying on a completely different threat model than "protect the entire operating system against state-mandated malware". I'm saying browsers should at least do the former. You seem to think that's pointless unless they also do the latter, but of course they can't do that. Some security of the trust store is better than no security.
If it does not, could you file a bug report with a complete packet capture (and exact browser version - multiple browsers are preferred)? https://github.com/caddyserver/caddy/issues
(Edit: Reportedly, "not all Internet providers have started MITM attacks yet" so if you do the test, make sure you are on an intercepted network... if safe to do so.)
So uh, should I be concerned at all if my connection came back as a likely MITM from my home network in the US? Or is it most likely a false positive caused by my firewall or something?
I tested it both off a VPN and on a VPN from my iPhone yet still had the same result both times.
If your phone is also used for work, you might have gotten a root certificate installed through their MDM program. Check Settings>General>About>Certificate Trust Settings for a root certificate.
On this machine I get "likely" in firefox, "unlikely" in a firefox private window and "unlikely" in chrome. Not sure what to make of that.
(Also all of the installed extensions are also enabled in private mode. I know that changed recently so I checked. Also the certs the browers claim I'm getting in all three scenarios seem to be the same...)
Probably an outdated implementation of our rules, regarding Firefox on your machine. Feel free to file an issue; also we will be switching to Cloudflare's mitmengine (based on the same research paper, but they have way more resources to keep it maintained at scale, thus making it more accurate) in Caddy 2 in a matter of months.
It also said "Likely MITM" for me (Firefox on CentOS 7), but the SHA256 certificate fingerprint in the browser matches the one seen by Qualys (https://www.ssllabs.com/ssltest/analyze.html?d=mitm.watch), so at least in my case it seems to be a false positive.
iOS is tricky because of its weird rules regarding TLS libraries and web views. If you are sure you haven't any rogue CA certs in your applicable trust stores, it's probably a false positive.
I just tested with ExpressVPN via their Kazakhstan endpoint. On 46.244.29.XXX on the ISP A2B IP B.V. I don't seem to be MITM'ed at all, so I can't report anything about the MITM-detector.
This sort of misbehavior is, unfortunately, common to a number of VPN services that claim to have endpoints in many unusual countries. ExpressVPN has sort of owned up to it (but they don't exactly make those disclosures obvious); others have not.
Thanks for the report. Both I and Cloudflare[1] are interested in any updates. If you know your connection is being MITM'ed by your ISP or your government please do the test again if it is safe to do so.
VPN with endpoint on affected ISP + Installing the cert (which is linked in the issue on Bugzilla) should be the same as just using the affect ISP directly, shouldn't it?
Yeah, it should, unless this is only for residential ISPs, which I strongly doubt. I can't appear to find a Kazakhstan-hosted VPN however, did you find one?
The pertinent page [1] of a local ISP, Kcell, is interesting - very devious.
> Kcell JSC informs its customers of the need to install Security Certificate on personal devices capable of connecting to the Internet
> Due to the increase of identity and personal data theft, including stealing money from bank accounts, introduced a security certificate as an effective tool to protect the country’s information space from hackers, online fraudsters and other types of cyber threats.
And some FAQs are hilarious (as in hilariously devious):
> What happens if I do not install the Security Certificate?
You may have problems accessing the Internet.
> Will installation of the Security Certificate affect the protection of my personal data?
The security certificate has no access to your personal data.
Yeah, true that, literally, but you forgot to mention something there...
Wow, if only everyone was as smart as Kazakhstan and figured out that this super awersome Security Certificate was "an effective tool" to protect the entire country's information space. And I've been wasting time with strong passwords, 2FA, E2E encryption, full disk encryption, etc. /s
I have custom root certs for internal dev sites for my company. That's fine, but I'd like to add the root with a caveat that I control saying "I trust this root for *.mycompany.com,mycompany.org", but that I know means they wouldn't be able to proxy "mybank.com".
I don't think Firefox or Chrome can do that can it?
I'd like that as well, for exactly the same purpose.
To the best of my knowledge, no browser can do this today, and I don't know of any other software that can do that either. (I'd want to have it in the system certificate store with the same constraint, as well.)
Name Constraints, as mentioned elsewhere in this thread, wouldn't solve the problem, for two reasons: most software doesn't support them (and silently ignores them rather than correctly failing closed), and they require the CA certificate to contain the constraints rather than system configuration adding the constraints.
We need a mechanism to place certificates in a certificate store (browser or system) with specific domain constraints configured by the administrator. To avoid the failure mode of Name Constraints, those certificates shouldn't be accessible to software that doesn't know to enforce domain constraints.
That would also require updates to various SSL libraries (and to browsers) to handle this new certificate store and enforce the constraints.
A mechanism to constrain root CAs to particular URLs/domains was proposed in firefox a while ago[0]. Perhaps an idea whose time has now come?
It seems like the principle of least privilege could easily be applied to the CA system rather than trusting all CAs for all domains, as there seem to be obvious/natural constraints in certain cases (like CAs that only operate under a particular country TLD).
> most software doesn't support [name constraints] (and silently ignores them rather than correctly failing closed)
Could you elaborate on this? Specific examples? CVEs? My experience has been that most software will either honor them, or honor the "critical" flag, which is correct (if disappointing) behavior. If you want it to fail closed, use the critical flag. If you want it to fail open, clear the critical flag.
The last time I investigated this this, several years ago, I found that several SSL libraries simply ignored the extension entirely, whether it had "critical" or not. Older OpenSSL did so, for instance.
Doing some additional research, it looks like the situation has improved significantly now, and name constraints might actually work as designed if you don't care about older systems.
That still doesn't address the ability for a browser/administrator to apply such name constraints to a CA that didn't ship as part of its certificate, though.
and that would have to be baked into the CA certificate, not specified when the CA is trusted. I dont want my browser to ask the CA what it's allowed to do, i want to tell it what it's allowed to do
It has to be baked into the CA, so that a browser vendor can check it before inclusion. If the CA specifies domains it is not allowed to sign certificates for, it will not be included.
You should be able to do this for Firefox, in two ways, neither of them very convenient, but if you're excited enough about this to put some work in:
1. The actual browser software has its own rules for what's trusted on top of the root trust store often copy-pasted into other software (e.g. in the Python package Certifi). These rules include name constraints of the sort you're interested in, functionally they're used to constrain roots that might be fine but whose government operators promise they're only for some TLDs under authority of that government, so in a sense for those names the government decides who "really" owns them anyway.
Rather than link a horde of HN readers into Mozilla's poor mercurial server I'll point you more indirectly at a summary from their wiki:
You can fork Firefox and add your own rules to NSS, or if you're feeling really fancy, your own extension mechanism to add rules at runtime.
2. You can spin up a root, and trust it, and use that to sign a suitable constrained intermediate. Then, destroy the private key for the root and continue using the intermediate.
In this scenario Firefox gives total trust to your root, but it can't possibly proxy mybank.com because you destroyed the private keys, it can't do anything further at all. The intermediate, which can still issue, is constrained.
Google (I think? Some big tech firm with know-how) has used this trick for products that do loop-back HTTPS. It mints a root cert during instal, issues one certificate and then destroys the private key, then it can trust the root cert but without any danger you later get MITM'd by the root, because that root's private key no longer exists anywhere.
CAA is a mechanism for trustworthy CAs to agree not to issue certificates to people who don't want them.
So if you set CAA to insist you only want Comodo certificates in darkhorn.example, Let's Encrypt will refuse to issue certificates for names under darkhorn.example
But no matter how you set CAA for darkhorn.example, my private CA can issue certificates for it no problem. Let's Encrypt aren't _prevented_ from issuing, they are _declining_ to issue by policy, and that policy is part of why the world trusts them. But the world doesn't trust my private CA, so I don't have to follow that policy.
No, although the root itself could be scoped that way with an X.509 name constraint. But if you add the root then I believe there's no browser policy to otherwise limit the names for which it can be trusted.
On a tangent, do you know off-hand what browser support for name constraints is like? The last time I looked was a few years ago and at the time it wasn't well supported but if that's improved it'd be a good step for intermediate certs.
The last time I looked into it, a few years ago, everyone except Apple had some basic amount of support. (That is, openssl, firefox, windows, and android — that's all I looked into.) I set up my private CA with name constraints, but I had to mark them noncritical if I wanted iDevices to be able to use the CA at all.
But the other systems did at least appear to honor the constraints.
I've asked Apple security folks about this a few times, but they just look uncomfortable and change the topic.
> It must have been many many years ago, more than 10 at least.
You would be unduly optimistic — for example, Apple did not support them at least as recently as 2015 (see e.g. https://bugs.chromium.org/p/chromium/issues/detail?id=407093...) and 10 years ago OpenSSL hadn't even shipped support upstream, plus however long it took your distribution to ship a major version upgrade to 1.0.
I was hoping someone might have a pointer to current information on that topic since I believe Apple did finally fix Secure Transport but not when.
I am afraid I don't have better information on when but some anecdotal information about the state of it. I have done some limited testing and research for our own internal Root CA I got the impression it works nowadays.
I have not gotten as far as testing it in production but based on testing Safari and Chrome in https://nameconstraints.bettertls.com/ and creating our own name constrained cert and testing it with both OS X Curl and Linux Curl (OpenSSL) I am still of the impression it works.
I'm surprised at comments in the bug threads suggesting they do nothing. The idea being that fighting this would force governments to fork/change browsers, ultimately being a worse experience for users. Seems like betraying people's trust is a pretty bad user experience.
There will always be a fight over privacy. Giving up to a foreign government is a terrible idea. It would absolutely just let the problem spread and get worse.
I don't think Kazakhstan has the resources to replace outside online services. A move like this should simply result in them shooting themselves in the foot. This needs to be a firm line such that it's simply not practical for them to implement.
I understand that bugs/discussions should weigh both sides. And ultimately, we may need more than HTTPS. That's fine. The point is we don't just roll over and give up.
If a government mandates its citizens to install the government’s own root certificate, then it’s not that easy to find a long-term technological solution. The problem here is not a technical one, IMHO. The problem is that the government of Kazakhstan is not respecting the freedom of its people.
IMO what’s needed is first and foremost more democracy in Kazakhstan. That’s not something that Firefox can solve.
With that said, perhaps anti-surveillance technology can assist the affected users. Maybe Tor. I’ve heard about some other, similar project but I can’t recall its name right now.
I don't agree. First off, no matter how you or me may be enraged by the incident, this is not (and shouldn't be!) a "moral problem" for the Firefox. And, by the way, if you are not living in the Kazakhstan, it's not for you to decide "what is needed first and foremost in Kazakhstan", it's their business entirely.
From the point of view of the Firefox, this should be an extremely simple technical problem. There is CA that is known to be "compromised" in an entirely technical sense, i.e. it is known to allow MITM. So blacklist it, end of discussion. Allow the user to remove it from the blacklist somewhere in browser's settings: it's not for you (Firefox) to decide what the greater good is.
I assume, it would indeed be a problem for Kazakhstan to fixing the service if people are not using the internet, because their browser doesn't work (because it's both an economical and a social disaster, obviously). Or maybe it wouldn't, because Kazakhstan will send troops to every home to replace every browser by Kazakh-fox or whatever. And it may play out to the better in the end, as much as it can lead to massacre.
But (as a 3rd party technological company) don't play mighty and powerful, responsible for the lives of people in Kazakhstan, it's not your fucking business how they live. You see a technological problem (known CA allowing MITM) — you solve it (block the CA!). That's what you promised your users to provide, to fix technological problems, not to fix the political climate in Kazakhstan, USA, China, whatever.
> Giving up to a foreign government is a terrible idea. It would absolutely just let the problem spread and get worse.
Their government isn't merley "snooping" on it's citizens due to a week chain of trust architecture and a lack of ethical clarity... it's requiring by law that it's citizens be snooped on and censored. In such a regime, a technological arms race is not going to change the legality of subverting their measures, and cannot help the masses without simultaneously jeopardising their safety.
History contradicts you. There are examples from communist block where technological solutions that bypassed government restrictions helped to spread banned information.
I did not say it cannot help, I said it cannot change the legality of subverting the government, and so cannot subvert the government without simultaneously jeopardising citizens safety.
Google, Mozilla, and Microsoft need to take a stand here and blacklist these certs. All of the efforts to move to HTTPS, and all of the rhetoric surrounding it, are just wasted time and empty words if we as a tech community allow this kind of behavior to go unchallenged. This sets such a dangerous precedent, and governments need to know that this kind of meddling will not be tolerated.
That's exactly what will happen if they all-out blacklist. The best near-term option may be a compromise: a special indicator in the browser UI that the connection has been set up in such a way that some organization may be monitoring.
Modern browsers require that leaf certificates which are issued in a chain which descends from a built in publicly trusted root include "certificate transparency" information. This means that the certificate has been published in numerous public logs and so would be discovered.
No doubt the NSA intercepts all kinds of things, but they're not doing it with TLS MITM technology (at least not without further additional hacks).
They don't even need to fork Firefox - there are couple of Russian browsers (https://browser.yandex.com/, https://browser.ru/) that would definitely allow Kazakhstan government to snoop into traffic (and hey even have Kazakh language support already). ISP will just advise clients that bad western companies banned Kazakhstan, so please use good safe Russian browsers.
Let's get Congress to do it - fix the collective action problem. Pass a law that says that all American companies are forbidden from serving traffic to countries which require their citizens to install compromised roots on their personal devices. Treat them like North Korea / Iran.
I'm from Kazakhstan using the biggest Internet provider (Kazaktelecom) and that's not true for me. No MITM here. May be not yet. Also checked mobile provider (Activ) and no MITM here too. But I saw local news, so probably not fake, though I'm not sure if it'll be mobile internet only or all providers.
Same here. Haven't yet got any SMS or notifications from my mobile/home ISPs, but couple of my friends are reporting that they did / there are many posts at social media, proving the fact, like this one: https://www.instagram.com/p/B0Do5IOHjab/
> This comment on the mozilla.dev.security.policy mailing list says that right now it's only for users in the nation's capital
I'm from capital (Nur-Sultan, former Astana).
I just checked my wife's phone and apparently she got SMS. Funnily enough, her cellular internet now does not work at all. Probably rollout is not going easy.
They should just put a red dot on the browser bar somewhere indicating a non-normal root cert is being used (this would also help in dev / test scenarios).
This is actually the subject of some debate, believe it or not, there is a good argument against it.
Here is the crux of the issue, many TLS middleware providers install their own root certificate for network monitoring, data loss prevention, security scanning and so on. I personally would like them to stop doing that or at least make it obvious to end users it's happening. However, in order to modify the root store, they must have been authorized to do so by the Administrator, and it's their network or hardware.
If we try to make it obvious to users that this inspection is happening, these providers will switch to using alternative methods, such as using Microsoft Detours - which would be even worse, now you have random vendors patching security critical code in such a way that is not discoverable for end-users. This cannot be prevented, because they must already have Administrator access or they wouldn't have been able to modify the root certificate store in the first place.
In this Kazakhstan scenario, imagine if adding the government certificate put a red dot that said "You are being monitored". If the government didn't like that, they could instead require you to install monitor.exe that had the exact same effect, but didn't show the dot by patching and hooking all the crypto APIs. I find this argument against adding an obvious indicator quite compelling.
In this case though, it seems like the government has no problem with telling people they're being monitored. The fact that they're willing to tell people to install a TLS certificate is indicative of that.
I think companies in the US are legally required to provide similar disclosure when monitoring their employees, so I don't see why they'd have a problem with a persistent indicator like that.
In this case though, it seems like the government has no problem with telling people they're being monitored
Not at all. They spin it as providing security:
"Due to frequent cases of theft of personal and credential data, as well as money from bank accounts of Kazakhstan, a security certificate was introduced that will become an effective tool for protecting the country’s information space from hackers, Internet fraudsters and other types of cyber threats.
...
What is a security certificate?
A security certificate is an electronic certificate that allows to protect Internet users from content that is prohibited by the laws of the Republic of Kazakhstan, as well as from malicious and potentially dangerous content. The security certificate is intended to provide subscribers of cellular communication in Kazakhstan with Internet access in the most secure manner."
This is a silly argument. You might as well say that Firefox should include an option to silently submit all your keystrokes to a designated endpoint, because after all if you have access to set that option you have access to install a keylogger.
So what if they could, in theory, work around the indicator by asking users to install some dubious live-patching executable? Firstly, the users wouldn't have to do so - the enforcement mechanism here is ultimately the MITM itself, so as long as the users just installed the certificate they could continue to access sites (they would have to make the certificate available separately, for installation on iOS / Android / ChromeOS etc). Secondly, the security implications of live-patching the executable are mostly irrelevant, because the only people installing this have already lost the security game. Thirdly, there is a benefit in making the bastards work for it - keeping that live-patcher up-to-date and working against a range of target executable versions is going to be bitter work.
Companies will typically want their employees to know they are being monitored for legal reasons (as well as deterrence), so it seems like they'd have no reason to want to hide this?
Maybe clicking on the red dot could show a page with company policy.
That would help people who already know what a root cert is, but it's well known that most people ignore any indicator in a URL bar. Even "smart people" ignore them. Do you actually check the lock status of every site you visit?
Also, it would be great if there were a "red dot" style warning when you manually click "Proceed anyway" while viewing a https page with an invalid certificate (currently, the browser remembers the "Proceed anyway" decision and accepts the invalid cert after the initial acceptance of the warning)
There's the big red X over the HTTPS icon in the address bar in Chrome and I'm pretty sure there's something similar done to the padlock icon in Firefox, no?
What makes everyone so sure this isn't happening everywhere already?
The problem Kazakhstan had was that there was no existing CA they could already force to issue certs. So they had to make a new one. It would be foolish to assume that none of the many trust anchors your browser already trusts haven't already been compelled by your local government to do exactly this.
> Certificate Transparency would make it blatantly obvious if any existing CA were being compelled by governments to issue fraudulent certs.
CT makes such an attack obvious, but the harm can't be undone.
A case study: root certificates for the GPKI, the South Korean governmental CA primarily used for public institutions, are not included in most browsers except for maybe IE [1] but frequently trusted due to (still) prevalent uses of ActiveX controls. It is of course subject to CA/B Forum baseline requirements [2] and publishes CT records, so you may guess their "accidentally" invalid wildcard certificates [3] are quickly spotted... Heck no! It was only noticed 3 years later [4]. No one knows what happened in this period.
[3] For example, https://crt.sh/?id=6990343 contains a public suffix `.co.kr` (comparable to `.com`). Note that the BR contains very strong requirements for such public suffixes, which the GPKI didn't follow.
Not only does it not solve this problem, it actually makes controls like this easier to deploy: Kazakhstan controls the keys for its own ccTLD, and will simply require people to use .kz variants of services (and require services to provide those to deploy in Kazakhstan). Many of the most popular sites in Kazakhstan, including Google, are already reached on .kz names.
I think the most important thing to keep in mind as you read through this issue and the comments is "be careful what you wish for". No doubt cases like this will be taken as arguments for making it even harder to install your own root certs than it already is, meaning that those who run MITM proxies on their own networks (e.g. to filter out ads even in otherwise unconfigurable browsers and such) get affected negatively, and it takes away from personal freedom. Also, don't forget that the pro-DRM and adtech crowd would love for nothing other than you to get exactly what they serve, whether you want it or not.
The increasing politicisation of Mozilla is also a concern --- it seems unwise for it to fight a government, or turn their core product into a platform for doing so. It's sad to see "privacy" brought up as an argument, and that seems to be Mozilla's main one these days; I think it's perfectly fine for people to desire privacy (and my MITM proxy will help with that, by stripping out trackers and such), and for Mozilla to offer services that do (they could work on their own VPNs and "firewall busters", for example), but the attitude of knowing better than the users or forcing them to trust or not trust certain entities is wrong.
So it took them only two weeks to take advantage of Firefox's new policy to automatically "fix"[1] man in the middle attacks through enterprise/antivirus CAs. As expected, this "convenience" will make us all less safe :(.
> I think this CA should be blacklisted by Mozilla and Firefox should not accept it at all even user installed it manually.
> This will save privacy of all Internet users in Kazakhstan.
No. This will mean that users would simply switch to chrome, edge, brave, ... , n + 1.
In case all of them block this CA, the government will force people to install an older version or will patch any open source browser so that it works with their certificates.
IMO, this is also wrong from a philosophical point of view. Your browser should just be your browser and not take part in political disputes. It doesn't sit well with me that Firefox has anything to say in the politics of its users.
In the United States, for example, it's legal (even expected?) that corporations can install custom CAs into their user's browsers and prevent internet access to any browser without it installed. Is it Mozilla's job to prevent these CAs from being installed on user's workstations? Should Mozilla reject any certificate from Blue Snort, etc.?
Kazakhstan has likewise declared it legal (under their own sovereign legal authority) to prevent web access to its citizens without the required CA installed. Just like it's legal in the US for corporations to "spy" on their employees, it's legal in Kazakhstan for it to spy on its citizens.
Laws of Western countries do not extend into other sovereign nations, regardless of what one thinks of those laws. It's not Mozilla's job to get involved in this case.
> And finally, encryption doesn't solve violence.
Nor abuse of freedom by nation states, unfortunately.
American and European companies and organisations put on loads of protest against acts like SOPA and Article 13. I don't see why this is any different.
Just because a nation state decides on something doesn't mean that foreign entities can't protest that decision. Firefox and Chrome can add very scary warnings to users about government sabotage if they want to; they can even start including ads for Tor and comparable services if they want to. Blocking the cert would at most be very consumer-unfriendly to people wanting the certificate to be in place. If they disagree with a particular browser vendor, those people can switch browsers or fork an open source one.
Mozilla's job is to provide a safe and open web. The Kazakh government is opposing that. In this case, it's perfectly in line with Mozilla's mission to warn users as best they can against the scary precedent their government is setting.
Of course this only works well if Google, Microsoft and Apple join the effort to warn users. Google is already showing a constant warning on Android when a device is being MitM'd and many of their apps do certificate pinning. Facebook and Twitter do certificate pinning in their apps as well.
I don't see why browsers couldn't take action as well. Just don't show any green locks during a MitM and show periodic notifications about the users' security being compromised. Block the certificate if you have to; as a party people rely on for choosing what certificate authorities to trust, they can't allow themselves to be compromised by governments enforcing laws endangering the safety of the web.
You're forgetting the power a discontent population can have on government. In case all browsers took a stance against cooperating with silent MITM, this would be a great pressure on powerful entities not to do it. Governments can get away with suppressing people's online experience for a while, but if they have subpar experience and basic websites won't function properly due to dated browsers, the pressure on governments to get modern browsers may increase.
Given the rise of HTTPS, intentionally or unintentionally, politics now lives in the endpoint (smartphone/tablet/computer)'s tech stack. Some part - the browser (and thus its vendor), the operating system (and its vendor), or some add-on (and thus its vendor) - gets to determine who/what's considered a root CA, and is thus allowed to decrypt message contents.
Can we, endpoints outside Kazakhstan, detect when a MITM client is connected and serve a boiler plate message "Untrusted connection"?
If enough high level sites do this (Google, Cloudflare, Wikipedia etc) it might force the hand of the government since they are the ones effectively breaking the internet.
Kazakhstan is blocking some websites, including home pages for Tor and popular VPN services. Also it uses some sophisticated Tor blocking: it establishes TCP connection but no bytes going there, so Tor client just hangs there without error or traffic, I wasn't able to unblock it, though I did not try hard enough. I think that they are blocking connections to popular VPN services as well, but I don't really know. Without access to their home pages it's hard to connect anyway. I know that people successfully using some mobile apps as VPNs, so while they are trying to block VPN, they are not trying hard enough.
I never had any problems with SSH and I operate my own OpenVPN on VPS using standard port and I never had any problems with it as well.
ZaTelecom Telegram channel (https://t.me/zatelecom) claims that that not all ISPs have rolled out the MITM attack. For now, a good solution would be to switch to a different ISP (it's not like in the US, each home has access to 2-5 different ISPs).
Also, users ask everyone to use a VPN. So, I think that they have access to VPNs.
hmm, certificate pinning will not allow this gov-ca to work for a lot of high profile web sites. i wonder if these sites with cert pins are whitelisted by the kz gov?
--
somehow i missed that HPKP is dead and will be removed from chromium and all the derivative browsers. now google is focusing on Expect-CT
Although pinned certificates have gone out of favor on the web, they are still very frequently used by iOS and Android apps. Last time I checked, the Facebook Messenger app refused to work when being MitM'ed.
I hope they pin on the key, not the certificate. For a mobile app I worked on, I had it pin the public key on the leaf certificate and indeed it would fail to connect in this scenario.
When you connect to a website via HTTPS, your browser downloads the certificate from that website and validates it by checking that the website's certificate was cryptographically signed by an entity that the browser trusts. If the certificate is valid, then you can assume that your data will only be decrypt-able by the website owner, so the connection is secure. Your browser will display a happy green banner showing that the connection is secure, so you can feel safe sending private data to that website without it being eaves-dropped along the way.
The browser checks for validity by ensuring the website certificate is signed by a certificate that is shipped with the browser. These "root certificates" are usually owned by Certificate Authorities, such as Verisign or any other number of CAs. CAs ought to verify that the entity creating a new certificate is who they claim to be (the website owner) before signing a certificate. This way, you trust Verisign to tell you that you can trust the target website.
What Kazakhstan has done is create their own root certificate and asked people who live there to install it in their browsers. They are also intercepting any connection to facebook.com and giving your browser a Kazakhstan-created certificate, which is then verified against the Kazakhstan-owned root certificate. Since it will pass this check, the browser shows a happy green banner, even though the certificate is owned by Kazakhstan and not facebook.com. In other words, the data people in Kazakhstan send to facebook.com is now being intercepted and decrypted by Kazakhstan before being forwarded to facebook.com. Facebook is the example used in the linked bug, they can perform this with any other website, too.
Could companies like Facebook, Google, perhaps CloudFlare detect this is happening in anyway I wonder? Are there any characteristics of the non-FB certificate connections that could reliably be detected either in the headers sent to FB, or via client-side JS?
How about comparing the IP address of the request with the IP address reported in requests to the FB server with the IP reported if you make an XHR call to a different domain endpoint that returns your IP? That would compare the physical browser's IP with the MITM 'requestors' IP?
If enough of the centralised sites and CDNs look out for this it would render it a lot less effective. This also turns a undetected user security/privacy problem into an in your face "firewall" from the user's point of view. Now the user asks their tech friend "why can't I see FB" and their tech friends sets them up on a VPN.
Apologies if this is hand wavey I'm not a network or security expert but I am curious about this.
It's been a long time since Verisign was a public CA.
The Verisign brand lives on, but it was acquired by Symantec back in 2010, Symantec then sold their CA business to DigiCert back in 2017. So although you may find certificates with "Verisign" branding on them, that has nothing to do with the company named Verisign.
What prevents us from having to trust Verisign (or its employees) or a government warrant, etc. to not do the same?
Can we leverage signed DNS records to add another layer of control needed?
Do we also need encrypted DNS where we can choose who to trust?
Are we stuck with the CA trust model?
> What prevents us from having to trust Verisign (or its employees) or a government warrant, etc. to not do the same?
Certificate Transparency. Current browsers are moving to not trust any certificate whose issuance wasn't publicly logged. That doesn't prevent an attacker from issuing an MITM certificate, but doing so would permanently burn a CA. (At least, once the policies are in place and enforced.)
You're right, trust is a major issue with any PKI. You can find hundreds of research papers and blog posts and probably even a few whole books on the topic, I'm sure :)
> What Kazakhstan has done is create their own root certificate and asked people who live there to install it in their browsers.
Is this voluntary? If I bring a device into the country without this certificate (or if the local removes it from their machine) do things go back to normal?
If you don't have the special root certificate installed, the browser will refuse to connect because the certificate being presented is invalid (it's the government spying certificate, which you don't trust, not Facebook's certificate, which you do trust).
Your browser will reject the bogus FB certificate. You can tell your browser to connect anyway with the bogus cert, but it will still be MITM'd. There's no way around this (outside of using a VPN or whatever to effectively remove yourself from Kazakhstan).
Going back to normal, i.e the browser saying that the presented certificate is invalid, yes. But you will not be able to browse anything over a HTTPS connection. (Or do other stuff over PKI based TLS, i.e downloading software updates etc.)
Shoot, I hadn't even considered software updates. If this is installed at the system level, they could MITM any software update mechanism that doesn't use cert pinning, couldn't they? Woof.
Yep... I wonder how common it for "sensitive" software to neither use pinned certs nor some package level signing? But probably common enough that it can be abused...
The state of Kazakhstan is intercepting all encrypted web traffic. They may filter it, block it, inject nasty things (malware etc) or just spy on the populace.
A Certificate Authority is an entity that verifies the identity of websites for your browser. There are only a few CA's in the world and their integrity is crucial because of how your browser trusts them. By making users install a government-issued CA, and also controlling their internet provider, the Kazakh government can pretend to be any website and therefore see all HTTPS traffic from the affected users.
I'm in Kazakhstan atm, the only solution I can see is to reach Google, Mozilla, Firefox, Apple, banks and all the other popular platforms and social media apps and ask them to ban connections with the government-issued certificate.
This will immediately block their services in the country and will raise awareness at scale.
I understand that by making people install the government cert, any website with a cert signed by that government cert will happily speak TLS.
But, how can they read data transmitted between websites they don't control? When the client asks for Facebook's cert, wouldn't the government have to sneak in and show a fake cert signed by them instead? How does that work?
It can probably work as MITM. The ISP or whoever controls your net traffic needs to generate a fake certificate(signed by a trusted root cert) for a site you are browsing. Refer example in:
https://en.wikipedia.org/wiki/Man-in-the-middle_attack
The regime has just painted a huge "X" on their backs.
If you hack the governments servers and steal the certificate private key you can pretty much rob the entire country - all bank transactions, pins, passwords etc. will be in the clear for you, ripe for the picking.
This is yet another reason why backdoors are so dangerous, not just for the privacy of all citizens.
Does these MITM-middleware softwares usually verify the cert presented by the server? If not, I guess this could be used to double-MITM the user?
If someone manages to redirect traffic by e.g DNS spoof to some server which presents a self-signed certificate for e.g Facebook.com, the government-MITM would just sign that as being Facebook.com.
Absolute morons. They will break windows updates. You cannot easily mitm Windows updates. There is additional undocumented check that the CA is from Microsoft. One needs to hotpatch the windows update dll’s to enable it. That’s almost certainly one that won’t be intercepted.
Have other governments requested their citizens to install country specific CAs? For some reason, I thought China already employed this practice (although I guess they wouldn't need to, as they just tend to block everything that isn't government approved).
Lets say you have this root CA installed on local machine and won't delete it. Can you protect yourself against https decryption by MITM in any way? Will VPN help or they will intercept VPN connection too?
Many of us already trust certificates we shouldn't be.
It's not even this blatant in most cases. About 6 countries have issued certificates for Google, India being one of them. And they all made use of the fact that they were part of the trusted root certificates on our systems.
Actually, a dns caa record could be of use in this scenario to at least alert the client that the traffic has been intercepted. Then again it is trivial to intercept and rewrite plain DNS requests and dns over https would also be subject to the same https mitm intercept... Maybe certificate pinning was a right idea.
That is true, however it could be used for CA verification also, could it not?
Edit: RFC 6844 very unambigously states that it can be used for additional verification:
CAA records MAY be used by Certificate Evaluators as a possible indicator of a security policy violation. Such use SHOULD take account of the possibility that published CAA records changed between the time a certificate was issued and the time at which the certificate was observed by the Certificate Evaluator.
I think everyone who is concerned with privacy in states like those, use ToR anyway all the time. I know people who only do meaningful stuff on the Internet through an RDP session on a server in Amsterdam, connected to through a VPN. The rest is just to watch cat videos.
This is bad because we don't like it when a foreign government infringes on foreign citizens' rights, but it may also be good (in a limited sense) because it might bring a whole lot more public scrutiny (from all countries and their citizens) towards the issue...
Firefox and Chrome updating their browsers to block these certificates won't also work, since the Kazak government can just fork Firefox and create their own browser which accepts their rogue certificate. And block all other browsers which don't.
"I knew the techies could do it! They told me they couldn't but I knew they were lies. See! even Kazakhstan can do it, so why can't I also break HTTPS encryption?"
At what point does this become an OFAC issue for browser vendors based in the states? I would be stunned if someone at Commerce isn't already circulating enforcement memos about this.
I think that's terribly optimistic. I think there are all kinds of people in the US government who would like to be able to point to a success story of a scheme like this, so that they'll have more ammunition in support of implementing it here.
As for whether designating that browser vendors can't distribute software to Kazakhstan, their government would just fork an open-source one, mod it to pre-include their MiTM cert, and force their citizens to use that.
Would it be possible to also blackhole the domains used to host the bad CAs? Yes they could counter this but it would buy some time before browsers are updated.
They probably will issue alternative Firefox and Chromium build. That would be worse. Though if entire tech industry will fight this attempt, like Windows will stop updating, macOS, iOS, Android, etc, probably they will step back. But I don't think that anyone would do so. Especially because that scenario is legitimate and widely used by corporations to control their perimeter and Kazakhstan ultimately does not differ.
Think more towards break everything, as you would end up with out of date broowsers being used. This will have the side effect of causing almost the whole country to be vulnerable to attack.
99% of the population will happily install the government cert, and life will move on.
The 1% will either put up with it, stop using the internet, or leave.
One thing will happen though - the economy will not be ruined.
Generally speaking, since the Cold War ended, these sorts of countries don't mind troublemakers leaving. It's better international PR for them to have 'problem people' leave voluntarily, than to repress them.
For example there's no way for my LG TV to install that root CA, so all that smartness basically rendered useless, unless LG would issue new firmware for that region and I'm not really sure that they would care enough. I bet that there are plenty of devices that would stop working. Think about all those IoT devices. I could imagine some kind of eye surgery laser device to stop working because it can't connect to its Zurich servers to check license. Yes, it won't cause revolution, but there will be a lot of issues.
SSH doesn't depend on certificate authorities, it's up to you to manage your own keys, each end point also has a uniquely generated signature which avoids MITM after first time auth (including by taking over domains).
This is a HTTPS only issue and fundamentally it's the same problem as control over domains (ease of manipulation through centralisation).
As far as I know, both the apps you mentioned use HTTPS. However, apps have the option of doing what's called Certificate Pinning.
That's when the application ignore OS/User trust settings about certificates, and just allows a list of hardcoded certificates / certificates signed by a hardcoded CA. Akin to how SSH works (kind of...).
If I remember correctly both Telegram and Instagram have pinned their certificates, which would probably block all network communication but not allow for a MITM attack, even if the user installed the KZ root certificate.
I think all Facebook apps do this, and probably most major apps from big companies. I tried to do some research on what requests the Facebook app was making on my phone and it was pretty difficult to get it to allow me to use Charles proxy (when I installed the cert on my phone the app just stopped working) because of the certificate pinning. The only way this would work is if the government created their own FB, etc. app and somehow distributed it.
I guess you'd have to install the certificate on your phone too. I guess that means that visitors to Kazakhstan won't have internet access during their stay, unless they install the malicious certificate on their phones as well. I really hope this doesn't set a precedent.
Just don't install that certificate. If something stops working, you'll know that they tried to break that channel. If something's working, then it's OK. And if you need things to work, use VPN.
I would actually be shocked if US agencies can't do the same here almost all the time. There has to be at least one trusted root authority that is controlled by an agency. Do you remember when RSA made a $10 mil deal to give .gov a backdoor back in the day. There is no reason any major US based certificate issuer couldn't do the same, or an employee turned into an asset to sneak it to them, or they just straight hack the places and get certs they can generate anything on. You might be able to detect it by logging the issuer of the cert, the browser doesn't care who auths it as long as it is trusted. It would be odd for most places to have certs issued by multiple authorities.
I blame, in part, TLS 1.3, E-SNI, and DoH for this.
Previously, a government could monitor what site a user is visiting just by looking at the TLS session startup. Even if it is hosted on a cloud provider and 100 different sites are hosted from the same IP, they could look at the TLS-SNI data in the plain text to choose to interrupt and block the connection.
A fallback would be to manipulate DNS queries and force all DNS queries to be directed to official DNS resolvers. But DoH makes that far harder to control.
This is a bluff being called. Tech said "If we make it so that they have to spend all this money and build a massive scale intercept that actively participates in each TLS session, they won't buy into the cost."
Costs keep going down for this sort of thing. Now there are large organizations and governments willing to work on this stuff.
Warning: what follows is completely baseless speculation, and let's concede that right off the bat.
Who's to say that this isn't happening in the US as well? The US has invested billions of dollars in dragnet surveillance that is allegedly useless for anything other than metadata in the context of HTTPS.
Is it out of the question to ask whether our secret courts could issue gag orders and claim that national security mandates CA root keys? Such a gag order would only be served to a small group of engineers at large companies, and those engineers would have no right to report on it. We're talking about only a few hundred FISA gag orders, and thousands are served annually. It would make
their multibillion dollar infrastructure useful again, wouldn't surprise me if some (unnamed, anonymous) judge bought the argument.
To employees at vulnerable companies, what's your PKI like? Is anyone aware of a company that implements strong multi-party checks on accesses to important private keys? If the NSA wanted your keys, how many employees would need to be served gag orders? Is it on the order of dozens or hundreds?
The larger the conspiracy theory is, the higher the risk that someone will simply decide it's worth whistleblowing on. The whistleblowing could even be effectively done anonymously in this case. Secret Government surveillance of end to end encrypted data in the US would be such a huge news story and public interest that it wouldn't be difficult to find engineers willing to take the risk of anonymously providing evidence of it to the press.
A "few hundred" gag orders placed on engineers about something deeply outrageous sounds completely implausible as lasting secrecy. Secrets simply can't be kept at that scale.
Even NSA employees themselves would eventually refuse to keep such a program secret, as we saw with Snowden.
Earlier this would probably have been a somewhat plausible solution, but not even then for mass scale surveillance.
Assume NSA et. al had access to trusted CA private keys, then they could generate certificates for arbitrary domains which would be trusted by clients. But if they MITM'ed _all_ connections (or even a large portion) surely someone would have noticed, like in the DigiNotar case [0].
But it's even harder (or better) now, with the advent of Certificate Transparency. Since browsers check certificates, periodically, against the CT logs which would fail for forged certificates [1].
However, stealing private keys from companies themselves is a practice that I can imagine happening on a small scale, like the Realtek signing keys for Stuxnet [2]. But doing that on a large scale is not really sustainable.
If the NSA was using their own certificates to MITM all HTTPS traffic it would be easily noticed by security researchers. Its not like they obtain the private keys of every US company. They'd have to make their own replacement certain for every site they wish to intercept. That could easily be noticed by security professionals and targeted companies by monitoring.
There are a lot easier ways to exfiltrate data than wholesale breaking TLS encryption and MITM'ing 295+ tbps of domestic traffic. That said, every super power is working on better decryption capabilities.
Event just a single site from the alexa 100 would be too obvious. I'm sure some security researchers and/or companies are already monitoring the certificates issued from major websites for abnormalities.
I could of sworn there are instances where root authorities had brush ins with the law, maybe I'm just remembering a theoretical rant I heard somewhere.
https://rus.azattyq.org/a/30064788.html
They have been talking about this stuff for some years, though. It will get implemented at some point. I have a feeling it was one of their "test trials": can we boil the frog yet, or do we have to heat the water up a bit more?