Hacker News new | past | comments | ask | show | jobs | submit | page 2 login
MITM on HTTPS traffic in Kazakhstan (bugzilla.mozilla.org)
1336 points by bzbarsky 62 days ago | hide | past | web | favorite | 453 comments

The pertinent page [1] of a local ISP, Kcell, is interesting - very devious.

> Kcell JSC informs its customers of the need to install Security Certificate on personal devices capable of connecting to the Internet

> Due to the increase of identity and personal data theft, including stealing money from bank accounts, introduced a security certificate as an effective tool to protect the country’s information space from hackers, online fraudsters and other types of cyber threats.

And some FAQs are hilarious (as in hilariously devious):

> What happens if I do not install the Security Certificate? You may have problems accessing the Internet.

> Will installation of the Security Certificate affect the protection of my personal data? The security certificate has no access to your personal data.

Yeah, true that, literally, but you forgot to mention something there...

[1] https://www.kcell.kz/en/product/3585/658, might have to switch to EN in top right corner

Wow, if only everyone was as smart as Kazakhstan and figured out that this super awersome Security Certificate was "an effective tool" to protect the entire country's information space. And I've been wasting time with strong passwords, 2FA, E2E encryption, full disk encryption, etc. /s

I have custom root certs for internal dev sites for my company. That's fine, but I'd like to add the root with a caveat that I control saying "I trust this root for *.mycompany.com,mycompany.org", but that I know means they wouldn't be able to proxy "mybank.com".

I don't think Firefox or Chrome can do that can it?

I'd like that as well, for exactly the same purpose.

To the best of my knowledge, no browser can do this today, and I don't know of any other software that can do that either. (I'd want to have it in the system certificate store with the same constraint, as well.)

Name Constraints, as mentioned elsewhere in this thread, wouldn't solve the problem, for two reasons: most software doesn't support them (and silently ignores them rather than correctly failing closed), and they require the CA certificate to contain the constraints rather than system configuration adding the constraints.

We need a mechanism to place certificates in a certificate store (browser or system) with specific domain constraints configured by the administrator. To avoid the failure mode of Name Constraints, those certificates shouldn't be accessible to software that doesn't know to enforce domain constraints.

That would also require updates to various SSL libraries (and to browsers) to handle this new certificate store and enforce the constraints.

A mechanism to constrain root CAs to particular URLs/domains was proposed in firefox a while ago[0]. Perhaps an idea whose time has now come?

It seems like the principle of least privilege could easily be applied to the CA system rather than trusting all CAs for all domains, as there seem to be obvious/natural constraints in certain cases (like CAs that only operate under a particular country TLD).

0: https://bugzilla.mozilla.org/show_bug.cgi?id=501697

> most software doesn't support [name constraints] (and silently ignores them rather than correctly failing closed)

Could you elaborate on this? Specific examples? CVEs? My experience has been that most software will either honor them, or honor the "critical" flag, which is correct (if disappointing) behavior. If you want it to fail closed, use the critical flag. If you want it to fail open, clear the critical flag.

The last time I investigated this this, several years ago, I found that several SSL libraries simply ignored the extension entirely, whether it had "critical" or not. Older OpenSSL did so, for instance.

Doing some additional research, it looks like the situation has improved significantly now, and name constraints might actually work as designed if you don't care about older systems.

That still doesn't address the ability for a browser/administrator to apply such name constraints to a CA that didn't ship as part of its certificate, though.

There is a Name Constraints extension in X.509[1] that does exactly that, but to my knowledge no browser implements it.

[1] https://tools.ietf.org/html/rfc5280#section-

and that would have to be baked into the CA certificate, not specified when the CA is trusted. I dont want my browser to ask the CA what it's allowed to do, i want to tell it what it's allowed to do

It has to be baked into the CA, so that a browser vendor can check it before inclusion. If the CA specifies domains it is not allowed to sign certificates for, it will not be included.

> but to my knowledge no browser implements it

Firefox does, though I don't know how much they check beyond just the dNSName constraints. Here's the unit test making sure it stays working: https://github.com/mozilla/gecko-dev/blob/b8157dfaafc42deb3b...

You should be able to do this for Firefox, in two ways, neither of them very convenient, but if you're excited enough about this to put some work in:

1. The actual browser software has its own rules for what's trusted on top of the root trust store often copy-pasted into other software (e.g. in the Python package Certifi). These rules include name constraints of the sort you're interested in, functionally they're used to constrain roots that might be fine but whose government operators promise they're only for some TLDs under authority of that government, so in a sense for those names the government decides who "really" owns them anyway.

Rather than link a horde of HN readers into Mozilla's poor mercurial server I'll point you more indirectly at a summary from their wiki:


You can fork Firefox and add your own rules to NSS, or if you're feeling really fancy, your own extension mechanism to add rules at runtime.

2. You can spin up a root, and trust it, and use that to sign a suitable constrained intermediate. Then, destroy the private key for the root and continue using the intermediate.

In this scenario Firefox gives total trust to your root, but it can't possibly proxy mybank.com because you destroyed the private keys, it can't do anything further at all. The intermediate, which can still issue, is constrained.

Google (I think? Some big tech firm with know-how) has used this trick for products that do loop-back HTTPS. It mints a root cert during instal, issues one certificate and then destroys the private key, then it can trust the root cert but without any danger you later get MITM'd by the root, because that root's private key no longer exists anywhere.

Just issue self-signed certificate for *.mycompany.com, mycompany.org and then put it into trust store, without CA flag set.

> CAA creates a DNS mechanism that enables domain name owners to whitelist CAs that are allowed to issue certificates for their hostnames.


CAA isn't relevant here.

CAA is a mechanism for trustworthy CAs to agree not to issue certificates to people who don't want them.

So if you set CAA to insist you only want Comodo certificates in darkhorn.example, Let's Encrypt will refuse to issue certificates for names under darkhorn.example

But no matter how you set CAA for darkhorn.example, my private CA can issue certificates for it no problem. Let's Encrypt aren't _prevented_ from issuing, they are _declining_ to issue by policy, and that policy is part of why the world trusts them. But the world doesn't trust my private CA, so I don't have to follow that policy.

For root certain? But you can add your own self signed certs for domains an they can be wildcards.

You only need a root if you're issuing other keys.

No, although the root itself could be scoped that way with an X.509 name constraint. But if you add the root then I believe there's no browser policy to otherwise limit the names for which it can be trusted.

Actually true root certs when evaluated by the browsers will have their name constrains within the root certificate themselves ignored.

Modern browsers do respect name constraints of intermediate issuing certificates.

Thanks for the correction!

On a tangent, do you know off-hand what browser support for name constraints is like? The last time I looked was a few years ago and at the time it wasn't well supported but if that's improved it'd be a good step for intermediate certs.

The last time I looked into it, a few years ago, everyone except Apple had some basic amount of support. (That is, openssl, firefox, windows, and android — that's all I looked into.) I set up my private CA with name constraints, but I had to mark them noncritical if I wanted iDevices to be able to use the CA at all.

But the other systems did at least appear to honor the constraints.

I've asked Apple security folks about this a few times, but they just look uncomfortable and change the topic.

It must have been many many years ago, more than 10 at least.

Any way to avoid or bypass name or path constraints would be considered a huge and monumental vulnerability today.

> It must have been many many years ago, more than 10 at least.

You would be unduly optimistic — for example, Apple did not support them at least as recently as 2015 (see e.g. https://bugs.chromium.org/p/chromium/issues/detail?id=407093...) and 10 years ago OpenSSL hadn't even shipped support upstream, plus however long it took your distribution to ship a major version upgrade to 1.0.

I was hoping someone might have a pointer to current information on that topic since I believe Apple did finally fix Secure Transport but not when.

I am afraid I don't have better information on when but some anecdotal information about the state of it. I have done some limited testing and research for our own internal Root CA I got the impression it works nowadays.

I have not gotten as far as testing it in production but based on testing Safari and Chrome in https://nameconstraints.bettertls.com/ and creating our own name constrained cert and testing it with both OS X Curl and Linux Curl (OpenSSL) I am still of the impression it works.

Most other people seem to be sure that it does not though (for example in this discussion and here https://security.stackexchange.com/questions/95600/are-x-509...) so I am not sure if I missed something or if people are just not up to date.

I'm surprised at comments in the bug threads suggesting they do nothing. The idea being that fighting this would force governments to fork/change browsers, ultimately being a worse experience for users. Seems like betraying people's trust is a pretty bad user experience.

There will always be a fight over privacy. Giving up to a foreign government is a terrible idea. It would absolutely just let the problem spread and get worse.

I don't think Kazakhstan has the resources to replace outside online services. A move like this should simply result in them shooting themselves in the foot. This needs to be a firm line such that it's simply not practical for them to implement.

I understand that bugs/discussions should weigh both sides. And ultimately, we may need more than HTTPS. That's fine. The point is we don't just roll over and give up.

If a government mandates its citizens to install the government’s own root certificate, then it’s not that easy to find a long-term technological solution. The problem here is not a technical one, IMHO. The problem is that the government of Kazakhstan is not respecting the freedom of its people.

Point in case: In 2018, Kazakhstan ranked #144 in the Economist Intelligence Unit’s Democracy Index. Countries such as China, Cuba and Belarus had a better ranking. [See https://en.wikipedia.org/wiki/Democracy_Index#Democracy_Inde...]

IMO what’s needed is first and foremost more democracy in Kazakhstan. That’s not something that Firefox can solve.

With that said, perhaps anti-surveillance technology can assist the affected users. Maybe Tor. I’ve heard about some other, similar project but I can’t recall its name right now.

[Edit: These where the anti-censorship applications I was thinking of: https://www.psiphon3.com/ and https://getlantern.org/. Can’t vouch for their security though.]

I don't agree. First off, no matter how you or me may be enraged by the incident, this is not (and shouldn't be!) a "moral problem" for the Firefox. And, by the way, if you are not living in the Kazakhstan, it's not for you to decide "what is needed first and foremost in Kazakhstan", it's their business entirely.

From the point of view of the Firefox, this should be an extremely simple technical problem. There is CA that is known to be "compromised" in an entirely technical sense, i.e. it is known to allow MITM. So blacklist it, end of discussion. Allow the user to remove it from the blacklist somewhere in browser's settings: it's not for you (Firefox) to decide what the greater good is.

I assume, it would indeed be a problem for Kazakhstan to fixing the service if people are not using the internet, because their browser doesn't work (because it's both an economical and a social disaster, obviously). Or maybe it wouldn't, because Kazakhstan will send troops to every home to replace every browser by Kazakh-fox or whatever. And it may play out to the better in the end, as much as it can lead to massacre.

But (as a 3rd party technological company) don't play mighty and powerful, responsible for the lives of people in Kazakhstan, it's not your fucking business how they live. You see a technological problem (known CA allowing MITM) — you solve it (block the CA!). That's what you promised your users to provide, to fix technological problems, not to fix the political climate in Kazakhstan, USA, China, whatever.

The certificate is not in the Firefox trust store. The government is requiring users to add it manually.

> Giving up to a foreign government is a terrible idea. It would absolutely just let the problem spread and get worse.

Their government isn't merley "snooping" on it's citizens due to a week chain of trust architecture and a lack of ethical clarity... it's requiring by law that it's citizens be snooped on and censored. In such a regime, a technological arms race is not going to change the legality of subverting their measures, and cannot help the masses without simultaneously jeopardising their safety.

History contradicts you. There are examples from communist block where technological solutions that bypassed government restrictions helped to spread banned information.

I did not say it cannot help, I said it cannot change the legality of subverting the government, and so cannot subvert the government without simultaneously jeopardising citizens safety.

I wonder if open source browser projects can have a license that prohibits forking for the purpose of mass (state) surveillance.

By definition, no. https://opensource.org/osd-annotated #6

Google, Mozilla, and Microsoft need to take a stand here and blacklist these certs. All of the efforts to move to HTTPS, and all of the rhetoric surrounding it, are just wasted time and empty words if we as a tech community allow this kind of behavior to go unchallenged. This sets such a dangerous precedent, and governments need to know that this kind of meddling will not be tolerated.


To continue using internet, you need to install our government-provided fork of Firefox that doesn't blacklist our government-provided root cert.

regards, your Tele2

That's exactly what will happen if they all-out blacklist. The best near-term option may be a compromise: a special indicator in the browser UI that the connection has been set up in such a way that some organization may be monitoring.

Yes, this kind of indicator should always have existed for the corporate and anti-virus local roots as well.

for all we know NSA may already be doing that all the time, and they're only the worst of the good guys.

Modern browsers require that leaf certificates which are issued in a chain which descends from a built in publicly trusted root include "certificate transparency" information. This means that the certificate has been published in numerous public logs and so would be discovered.

No doubt the NSA intercepts all kinds of things, but they're not doing it with TLS MITM technology (at least not without further additional hacks).

That is, assuming that your downloaded copy of Firefox contains these root certificates and not some different ones.

They don't even need to fork Firefox - there are couple of Russian browsers (https://browser.yandex.com/, https://browser.ru/) that would definitely allow Kazakhstan government to snoop into traffic (and hey even have Kazakh language support already). ISP will just advise clients that bad western companies banned Kazakhstan, so please use good safe Russian browsers.

Let's get Congress to do it - fix the collective action problem. Pass a law that says that all American companies are forbidden from serving traffic to countries which require their citizens to install compromised roots on their personal devices. Treat them like North Korea / Iran.

I'm from Kazakhstan using the biggest Internet provider (Kazaktelecom) and that's not true for me. No MITM here. May be not yet. Also checked mobile provider (Activ) and no MITM here too. But I saw local news, so probably not fake, though I'm not sure if it'll be mobile internet only or all providers.

Same here. Haven't yet got any SMS or notifications from my mobile/home ISPs, but couple of my friends are reporting that they did / there are many posts at social media, proving the fact, like this one: https://www.instagram.com/p/B0Do5IOHjab/

This comment on the mozilla.dev.security.policy mailing list says that right now it's only for users in the nation's capital: https://groups.google.com/d/msg/mozilla.dev.security.policy/...

> At the moment, providers started to use the certificate in the capital of Kazakhstan - Nur-Sultan (ex. Astana).

So it may not be nationwide yet.

> This comment on the mozilla.dev.security.policy mailing list says that right now it's only for users in the nation's capital

I'm from capital (Nur-Sultan, former Astana).

I just checked my wife's phone and apparently she got SMS. Funnily enough, her cellular internet now does not work at all. Probably rollout is not going easy.

Seems to affect Astana mobile users for now

This sounds very familiar. Oh yeah, 4 years ago:


They should just put a red dot on the browser bar somewhere indicating a non-normal root cert is being used (this would also help in dev / test scenarios).

This is actually the subject of some debate, believe it or not, there is a good argument against it.

Here is the crux of the issue, many TLS middleware providers install their own root certificate for network monitoring, data loss prevention, security scanning and so on. I personally would like them to stop doing that or at least make it obvious to end users it's happening. However, in order to modify the root store, they must have been authorized to do so by the Administrator, and it's their network or hardware.

If we try to make it obvious to users that this inspection is happening, these providers will switch to using alternative methods, such as using Microsoft Detours - which would be even worse, now you have random vendors patching security critical code in such a way that is not discoverable for end-users. This cannot be prevented, because they must already have Administrator access or they wouldn't have been able to modify the root certificate store in the first place.

In this Kazakhstan scenario, imagine if adding the government certificate put a red dot that said "You are being monitored". If the government didn't like that, they could instead require you to install monitor.exe that had the exact same effect, but didn't show the dot by patching and hooking all the crypto APIs. I find this argument against adding an obvious indicator quite compelling.

In this case though, it seems like the government has no problem with telling people they're being monitored. The fact that they're willing to tell people to install a TLS certificate is indicative of that.

I think companies in the US are legally required to provide similar disclosure when monitoring their employees, so I don't see why they'd have a problem with a persistent indicator like that.

In this case though, it seems like the government has no problem with telling people they're being monitored

Not at all. They spin it as providing security:

"Due to frequent cases of theft of personal and credential data, as well as money from bank accounts of Kazakhstan, a security certificate was introduced that will become an effective tool for protecting the country’s information space from hackers, Internet fraudsters and other types of cyber threats.


What is a security certificate?

A security certificate is an electronic certificate that allows to protect Internet users from content that is prohibited by the laws of the Republic of Kazakhstan, as well as from malicious and potentially dangerous content. The security certificate is intended to provide subscribers of cellular communication in Kazakhstan with Internet access in the most secure manner."

(source: https://www.kcell.kz/ru/product/3585/658 -- but this text seems to be coming from government, since it's quoted by all providers).

I'm curious how many people would realise that installing a root certificate implies the government wants to spy on their traffic.

It's going to be a lot fewer than the people who'd be able to understand they'd need to do X to keep the internet working.

This is a silly argument. You might as well say that Firefox should include an option to silently submit all your keystrokes to a designated endpoint, because after all if you have access to set that option you have access to install a keylogger.

So what if they could, in theory, work around the indicator by asking users to install some dubious live-patching executable? Firstly, the users wouldn't have to do so - the enforcement mechanism here is ultimately the MITM itself, so as long as the users just installed the certificate they could continue to access sites (they would have to make the certificate available separately, for installation on iOS / Android / ChromeOS etc). Secondly, the security implications of live-patching the executable are mostly irrelevant, because the only people installing this have already lost the security game. Thirdly, there is a benefit in making the bastards work for it - keeping that live-patcher up-to-date and working against a range of target executable versions is going to be bitter work.

Companies will typically want their employees to know they are being monitored for legal reasons (as well as deterrence), so it seems like they'd have no reason to want to hide this?

Maybe clicking on the red dot could show a page with company policy.

Something like this is in FF 68. Not a red dot, but an indication when you click the padlock.


That would help people who already know what a root cert is, but it's well known that most people ignore any indicator in a URL bar. Even "smart people" ignore them. Do you actually check the lock status of every site you visit?

Most browsers have made the lack of a "lock" quite evident to end users.

If they look and care. The comment you replied to asserts that most people don't. I certainly don't.

If HN didn't have the lock in the url bar (no https), it would have zero impact on my behavior. I had to look just now to even know if there was one.

The goal is to make it evident when there isn't one.

Well, Chrome does make it evident. That wasn't my point. My point, and the point of the comment above, is that it doesn't matter to almost anyone.

If HN still wasn't using https, we'd still be here. Virtually nobody really cares day to day.

So? It matters to those who care about their communication not being spied on / silently modified by third parties. That set isn't empty.

This would be fantastic.

Also, it would be great if there were a "red dot" style warning when you manually click "Proceed anyway" while viewing a https page with an invalid certificate (currently, the browser remembers the "Proceed anyway" decision and accepts the invalid cert after the initial acceptance of the warning)

There's the big red X over the HTTPS icon in the address bar in Chrome and I'm pretty sure there's something similar done to the padlock icon in Firefox, no?

Oops, you're absolutely right.

What makes everyone so sure this isn't happening everywhere already?

The problem Kazakhstan had was that there was no existing CA they could already force to issue certs. So they had to make a new one. It would be foolish to assume that none of the many trust anchors your browser already trusts haven't already been compelled by your local government to do exactly this.

Also, DANE and DNSSEC solves this problem.

Certificate Transparency would make it blatantly obvious if any existing CA were being compelled by governments to issue fraudulent certs.

DANE is, unfortunately, not viable to implement in browsers right now for a variety of reasons: https://www.imperialviolet.org/2015/01/17/notdane.html

> Certificate Transparency would make it blatantly obvious if any existing CA were being compelled by governments to issue fraudulent certs.

CT makes such an attack obvious, but the harm can't be undone.

A case study: root certificates for the GPKI, the South Korean governmental CA primarily used for public institutions, are not included in most browsers except for maybe IE [1] but frequently trusted due to (still) prevalent uses of ActiveX controls. It is of course subject to CA/B Forum baseline requirements [2] and publishes CT records, so you may guess their "accidentally" invalid wildcard certificates [3] are quickly spotted... Heck no! It was only noticed 3 years later [4]. No one knows what happened in this period.

[1] For example, Firefox doesn't include it: https://bugzilla.mozilla.org/show_bug.cgi?id=1377389

[2] https://cabforum.org/baseline-requirements-documents/

[3] For example, https://crt.sh/?id=6990343 contains a public suffix `.co.kr` (comparable to `.com`). Note that the BR contains very strong requirements for such public suffixes, which the GPKI didn't follow.

[4] https://www.mois.go.kr/frt/bbs/type001/commonSelectBoardArti...

Not only does it not solve this problem, it actually makes controls like this easier to deploy: Kazakhstan controls the keys for its own ccTLD, and will simply require people to use .kz variants of services (and require services to provide those to deploy in Kazakhstan). Many of the most popular sites in Kazakhstan, including Google, are already reached on .kz names.

I think the most important thing to keep in mind as you read through this issue and the comments is "be careful what you wish for". No doubt cases like this will be taken as arguments for making it even harder to install your own root certs than it already is, meaning that those who run MITM proxies on their own networks (e.g. to filter out ads even in otherwise unconfigurable browsers and such) get affected negatively, and it takes away from personal freedom. Also, don't forget that the pro-DRM and adtech crowd would love for nothing other than you to get exactly what they serve, whether you want it or not.

The increasing politicisation of Mozilla is also a concern --- it seems unwise for it to fight a government, or turn their core product into a platform for doing so. It's sad to see "privacy" brought up as an argument, and that seems to be Mozilla's main one these days; I think it's perfectly fine for people to desire privacy (and my MITM proxy will help with that, by stripping out trackers and such), and for Mozilla to offer services that do (they could work on their own VPNs and "firewall busters", for example), but the attitude of knowing better than the users or forcing them to trust or not trust certain entities is wrong.

So it took them only two weeks to take advantage of Firefox's new policy to automatically "fix"[1] man in the middle attacks through enterprise/antivirus CAs. As expected, this "convenience" will make us all less safe :(.

[1] https://blog.mozilla.org/security/2019/07/01/fixing-antiviru...

If an attacker can install a CA on the system, the attacker can probably also apply binary modifications to Firefox.

Or replace it with a compromised version.

It can be an authoritarian government arm twisting you into installing it voluntarily, as the article proves.

Which they could also do with software, or even hardware via import controls.

Previous discussion from back when this was first announced: https://news.ycombinator.com/item?id=10663843

> I think this CA should be blacklisted by Mozilla and Firefox should not accept it at all even user installed it manually.

> This will save privacy of all Internet users in Kazakhstan.

No. This will mean that users would simply switch to chrome, edge, brave, ... , n + 1.

In case all of them block this CA, the government will force people to install an older version or will patch any open source browser so that it works with their certificates.

IMO, this is also wrong from a philosophical point of view. Your browser should just be your browser and not take part in political disputes. It doesn't sit well with me that Firefox has anything to say in the politics of its users.

And finally, encryption doesn't solve violence.

Yes, exactly.

In the United States, for example, it's legal (even expected?) that corporations can install custom CAs into their user's browsers and prevent internet access to any browser without it installed. Is it Mozilla's job to prevent these CAs from being installed on user's workstations? Should Mozilla reject any certificate from Blue Snort, etc.?

Kazakhstan has likewise declared it legal (under their own sovereign legal authority) to prevent web access to its citizens without the required CA installed. Just like it's legal in the US for corporations to "spy" on their employees, it's legal in Kazakhstan for it to spy on its citizens.

Laws of Western countries do not extend into other sovereign nations, regardless of what one thinks of those laws. It's not Mozilla's job to get involved in this case.

> And finally, encryption doesn't solve violence.

Nor abuse of freedom by nation states, unfortunately.

American and European companies and organisations put on loads of protest against acts like SOPA and Article 13. I don't see why this is any different.

Just because a nation state decides on something doesn't mean that foreign entities can't protest that decision. Firefox and Chrome can add very scary warnings to users about government sabotage if they want to; they can even start including ads for Tor and comparable services if they want to. Blocking the cert would at most be very consumer-unfriendly to people wanting the certificate to be in place. If they disagree with a particular browser vendor, those people can switch browsers or fork an open source one.

Mozilla's job is to provide a safe and open web. The Kazakh government is opposing that. In this case, it's perfectly in line with Mozilla's mission to warn users as best they can against the scary precedent their government is setting.

Of course this only works well if Google, Microsoft and Apple join the effort to warn users. Google is already showing a constant warning on Android when a device is being MitM'd and many of their apps do certificate pinning. Facebook and Twitter do certificate pinning in their apps as well.

I don't see why browsers couldn't take action as well. Just don't show any green locks during a MitM and show periodic notifications about the users' security being compromised. Block the certificate if you have to; as a party people rely on for choosing what certificate authorities to trust, they can't allow themselves to be compromised by governments enforcing laws endangering the safety of the web.

You're forgetting the power a discontent population can have on government. In case all browsers took a stance against cooperating with silent MITM, this would be a great pressure on powerful entities not to do it. Governments can get away with suppressing people's online experience for a while, but if they have subpar experience and basic websites won't function properly due to dated browsers, the pressure on governments to get modern browsers may increase.

Given the rise of HTTPS, intentionally or unintentionally, politics now lives in the endpoint (smartphone/tablet/computer)'s tech stack. Some part - the browser (and thus its vendor), the operating system (and its vendor), or some add-on (and thus its vendor) - gets to determine who/what's considered a root CA, and is thus allowed to decrypt message contents.

Tele2, a Swedish company and major phone network in Sweden.

Wouldn't be the first scandalous thing in the former Soviet Union that a Swedish phone network was involved in: https://en.wikipedia.org/wiki/Telecom_corruption_scandal

To be noted though, Tele2 has as of recently exited the Kazakhstani market: https://www.tele2.com/media/press-releases/2019/tele2-has-ag...

Can we, endpoints outside Kazakhstan, detect when a MITM client is connected and serve a boiler plate message "Untrusted connection"?

If enough high level sites do this (Google, Cloudflare, Wikipedia etc) it might force the hand of the government since they are the ones effectively breaking the internet.

No, mitm is not easily detected on server side. It's a transparent proxy. You could start serving these messages to whole KZ ip range, though.

If someone could enlighten me where i'm wrong, it'd be much more constructive than simply downvoting.

Thank you. An interesting technique, but ultimately very easily bypassed with minor effort on interceptors' behalf.

Question to local readers: Is Kazakhstan also blocking VPNs and SSH?

Kazakhstan is blocking some websites, including home pages for Tor and popular VPN services. Also it uses some sophisticated Tor blocking: it establishes TCP connection but no bytes going there, so Tor client just hangs there without error or traffic, I wasn't able to unblock it, though I did not try hard enough. I think that they are blocking connections to popular VPN services as well, but I don't really know. Without access to their home pages it's hard to connect anyway. I know that people successfully using some mobile apps as VPNs, so while they are trying to block VPN, they are not trying hard enough.

I never had any problems with SSH and I operate my own OpenVPN on VPS using standard port and I never had any problems with it as well.

Not a local reader. I am from Russia.

ZaTelecom Telegram channel (https://t.me/zatelecom) claims that that not all ISPs have rolled out the MITM attack. For now, a good solution would be to switch to a different ISP (it's not like in the US, each home has access to 2-5 different ISPs).

Also, users ask everyone to use a VPN. So, I think that they have access to VPNs.

I checked these a few months ago and both services were working fine.

Almost exactly a year ago I asked this:


Guess it wasn't canceled after all.

hmm, certificate pinning will not allow this gov-ca to work for a lot of high profile web sites. i wonder if these sites with cert pins are whitelisted by the kz gov?


somehow i missed that HPKP is dead and will be removed from chromium and all the derivative browsers. now google is focusing on Expect-CT

My understanding is pinning will not block this, locally installed trust anchors bypass pinning. https://groups.google.com/d/msg/mozilla.dev.security.policy/...

That's correct, HPKP does not block this. If some application uses manual pinning, it'll work (or, rather, won't work at all).

Although pinned certificates have gone out of favor on the web, they are still very frequently used by iOS and Android apps. Last time I checked, the Facebook Messenger app refused to work when being MitM'ed.

I hope they pin on the key, not the certificate. For a mobile app I worked on, I had it pin the public key on the leaf certificate and indeed it would fail to connect in this scenario.

Could someone explain to me what this means and/or why it's bad?

When you connect to a website via HTTPS, your browser downloads the certificate from that website and validates it by checking that the website's certificate was cryptographically signed by an entity that the browser trusts. If the certificate is valid, then you can assume that your data will only be decrypt-able by the website owner, so the connection is secure. Your browser will display a happy green banner showing that the connection is secure, so you can feel safe sending private data to that website without it being eaves-dropped along the way.

The browser checks for validity by ensuring the website certificate is signed by a certificate that is shipped with the browser. These "root certificates" are usually owned by Certificate Authorities, such as Verisign or any other number of CAs. CAs ought to verify that the entity creating a new certificate is who they claim to be (the website owner) before signing a certificate. This way, you trust Verisign to tell you that you can trust the target website.

What Kazakhstan has done is create their own root certificate and asked people who live there to install it in their browsers. They are also intercepting any connection to facebook.com and giving your browser a Kazakhstan-created certificate, which is then verified against the Kazakhstan-owned root certificate. Since it will pass this check, the browser shows a happy green banner, even though the certificate is owned by Kazakhstan and not facebook.com. In other words, the data people in Kazakhstan send to facebook.com is now being intercepted and decrypted by Kazakhstan before being forwarded to facebook.com. Facebook is the example used in the linked bug, they can perform this with any other website, too.

Could companies like Facebook, Google, perhaps CloudFlare detect this is happening in anyway I wonder? Are there any characteristics of the non-FB certificate connections that could reliably be detected either in the headers sent to FB, or via client-side JS?

How about comparing the IP address of the request with the IP address reported in requests to the FB server with the IP reported if you make an XHR call to a different domain endpoint that returns your IP? That would compare the physical browser's IP with the MITM 'requestors' IP?

If enough of the centralised sites and CDNs look out for this it would render it a lot less effective. This also turns a undetected user security/privacy problem into an in your face "firewall" from the user's point of view. Now the user asks their tech friend "why can't I see FB" and their tech friends sets them up on a VPN.

Apologies if this is hand wavey I'm not a network or security expert but I am curious about this.

It's been a long time since Verisign was a public CA.

The Verisign brand lives on, but it was acquired by Symantec back in 2010, Symantec then sold their CA business to DigiCert back in 2017. So although you may find certificates with "Verisign" branding on them, that has nothing to do with the company named Verisign.

What prevents us from having to trust Verisign (or its employees) or a government warrant, etc. to not do the same?

Can we leverage signed DNS records to add another layer of control needed? Do we also need encrypted DNS where we can choose who to trust? Are we stuck with the CA trust model?

> What prevents us from having to trust Verisign (or its employees) or a government warrant, etc. to not do the same?

Certificate Transparency. Current browsers are moving to not trust any certificate whose issuance wasn't publicly logged. That doesn't prevent an attacker from issuing an MITM certificate, but doing so would permanently burn a CA. (At least, once the policies are in place and enforced.)

The thing with certificate is that they not only add security, but they also act as a signature.

If Verisign deliver a certificate with the wrong domain, you'll be able to know that Verisign signed that certificate.

They could certainly say it was a mistake somewhere in the process, but that argument won't work for ever.

At one point sadly you need to trust someone. This model at least give you a way to prove that trust has been broken.

Trusted certificate authorities log issued certificates to verified certificate transparency logs.

Site owners can monitor these logs for rogue certs issued for their own domains.

You're right, trust is a major issue with any PKI. You can find hundreds of research papers and blog posts and probably even a few whole books on the topic, I'm sure :)

> What Kazakhstan has done is create their own root certificate and asked people who live there to install it in their browsers.

Is this voluntary? If I bring a device into the country without this certificate (or if the local removes it from their machine) do things go back to normal?

If you don't have the special root certificate installed, the browser will refuse to connect because the certificate being presented is invalid (it's the government spying certificate, which you don't trust, not Facebook's certificate, which you do trust).

Your browser will reject the bogus FB certificate. You can tell your browser to connect anyway with the bogus cert, but it will still be MITM'd. There's no way around this (outside of using a VPN or whatever to effectively remove yourself from Kazakhstan).

Going back to normal, i.e the browser saying that the presented certificate is invalid, yes. But you will not be able to browse anything over a HTTPS connection. (Or do other stuff over PKI based TLS, i.e downloading software updates etc.)

Shoot, I hadn't even considered software updates. If this is installed at the system level, they could MITM any software update mechanism that doesn't use cert pinning, couldn't they? Woof.

Yep... I wonder how common it for "sensitive" software to neither use pinned certs nor some package level signing? But probably common enough that it can be abused...

The state of Kazakhstan is intercepting all encrypted web traffic. They may filter it, block it, inject nasty things (malware etc) or just spy on the populace.

A Certificate Authority is an entity that verifies the identity of websites for your browser. There are only a few CA's in the world and their integrity is crucial because of how your browser trusts them. By making users install a government-issued CA, and also controlling their internet provider, the Kazakh government can pretend to be any website and therefore see all HTTPS traffic from the affected users.

Internet provider will be able to read all your data in plaintext. Logins, passwords, anything you send.

The Govt of KZ in this case can monitor all internet traffic over HTTPS.


The government and ISPs will have access to everything people do on the internet in Kazakhstan.

I'm in Kazakhstan atm, the only solution I can see is to reach Google, Mozilla, Firefox, Apple, banks and all the other popular platforms and social media apps and ask them to ban connections with the government-issued certificate.

This will immediately block their services in the country and will raise awareness at scale.


How does this work technically?

I understand that by making people install the government cert, any website with a cert signed by that government cert will happily speak TLS.

But, how can they read data transmitted between websites they don't control? When the client asks for Facebook's cert, wouldn't the government have to sneak in and show a fake cert signed by them instead? How does that work?

It can probably work as MITM. The ISP or whoever controls your net traffic needs to generate a fake certificate(signed by a trusted root cert) for a site you are browsing. Refer example in: https://en.wikipedia.org/wiki/Man-in-the-middle_attack

Just think about this for a minute.

The regime has just painted a huge "X" on their backs.

If you hack the governments servers and steal the certificate private key you can pretty much rob the entire country - all bank transactions, pins, passwords etc. will be in the clear for you, ripe for the picking.

This is yet another reason why backdoors are so dangerous, not just for the privacy of all citizens.

Does these MITM-middleware softwares usually verify the cert presented by the server? If not, I guess this could be used to double-MITM the user?

If someone manages to redirect traffic by e.g DNS spoof to some server which presents a self-signed certificate for e.g Facebook.com, the government-MITM would just sign that as being Facebook.com.

It seems like it's easy to take down the site that's hosting the certs (http://qca.kz/). Maybe that's an appropriate response to this...

   $ wrk -t 50 -c 500 -d 5m --latency --timeout 3s http://qca.kz/

Absolute morons. They will break windows updates. You cannot easily mitm Windows updates. There is additional undocumented check that the CA is from Microsoft. One needs to hotpatch the windows update dll’s to enable it. That’s almost certainly one that won’t be intercepted.

Have other governments requested their citizens to install country specific CAs? For some reason, I thought China already employed this practice (although I guess they wouldn't need to, as they just tend to block everything that isn't government approved).

AFAIK it did not happen yet anywhere, including China. Kazakhstan is kind of "leader" there. Though I'm sure more countries will follow.

Lets say you have this root CA installed on local machine and won't delete it. Can you protect yourself against https decryption by MITM in any way? Will VPN help or they will intercept VPN connection too?

Use a browser that doesn't use the CA list of the OS (such as Firefox) and tunnel all the traffic via a stealthy VPN.

It would probably be illegal and if the regime finds out they'll put you into jail etc.

Many of us already trust certificates we shouldn't be.

It's not even this blatant in most cases. About 6 countries have issued certificates for Google, India being one of them. And they all made use of the fact that they were part of the trusted root certificates on our systems.


This is being discussed here as well https://groups.google.com/forum/#!msg/mozilla.dev.security.p...

I like the idea of a permanent, non-removable banner saying "Kazakhstan is spying on you, learn more here <link to more info>.".

Actually, a dns caa record could be of use in this scenario to at least alert the client that the traffic has been intercepted. Then again it is trivial to intercept and rewrite plain DNS requests and dns over https would also be subject to the same https mitm intercept... Maybe certificate pinning was a right idea.

CAA is for issuers, not for browsers. And yes, without DNSSEC it's easily spoofed.

That is true, however it could be used for CA verification also, could it not?

Edit: RFC 6844 very unambigously states that it can be used for additional verification:

CAA records MAY be used by Certificate Evaluators as a possible indicator of a security policy violation. Such use SHOULD take account of the possibility that published CAA records changed between the time a certificate was issued and the time at which the certificate was observed by the Certificate Evaluator.

I think everyone who is concerned with privacy in states like those, use ToR anyway all the time. I know people who only do meaningful stuff on the Internet through an RDP session on a server in Amsterdam, connected to through a VPN. The rest is just to watch cat videos.

This is bad because we don't like it when a foreign government infringes on foreign citizens' rights, but it may also be good (in a limited sense) because it might bring a whole lot more public scrutiny (from all countries and their citizens) towards the issue...

This will _not_ be good.

To the extent that Kazakhstan succeeds with this, it will only make other governments jealous of the capability and want it for themselves.

Firefox and Chrome updating their browsers to block these certificates won't also work, since the Kazak government can just fork Firefox and create their own browser which accepts their rogue certificate. And block all other browsers which don't.

I live in Kazakhstan and have not seen this yet. No MITM according to the provided tests (mholt)

It's only rolled out to 20-30% of the country right now: https://atlas.ripe.net/measurements/22372655/#!probes

Many "democracy loving" politicians today:

"I knew the techies could do it! They told me they couldn't but I knew they were lies. See! even Kazakhstan can do it, so why can't I also break HTTPS encryption?"

At what point does this become an OFAC issue for browser vendors based in the states? I would be stunned if someone at Commerce isn't already circulating enforcement memos about this.

I think that's terribly optimistic. I think there are all kinds of people in the US government who would like to be able to point to a success story of a scheme like this, so that they'll have more ammunition in support of implementing it here.

As for whether designating that browser vendors can't distribute software to Kazakhstan, their government would just fork an open-source one, mod it to pre-include their MiTM cert, and force their citizens to use that.

It seems like there is a structural problem in relying on authority (in a CA) for encryption. Probably by design.

I think ultimately the solution is going to be p2p content-centric approaches.

Would it be possible to also blackhole the domains used to host the bad CAs? Yes they could counter this but it would buy some time before browsers are updated.

The best solution would be to blacklist rouge SSL certs.

Aw, let them use whatever color they like.

They probably will issue alternative Firefox and Chromium build. That would be worse. Though if entire tech industry will fight this attempt, like Windows will stop updating, macOS, iOS, Android, etc, probably they will step back. But I don't think that anyone would do so. Especially because that scenario is legitimate and widely used by corporations to control their perimeter and Kazakhstan ultimately does not differ.

Doing so will make the internet (In Kazakhstan) unusable, because everywhere you go, you will see an 'untrusted cert' warning.

Sometimes stuff likes this needs doing in order to show how bad MITM is.

Okay, say you live in Kazakhstan. You stop using the Internet.

Do you think the government will care?

Think more towards break everything, as you would end up with out of date broowsers being used. This will have the side effect of causing almost the whole country to be vulnerable to attack.

Instability is the key.

If it ruins their economy, yes.

99% of the population will happily install the government cert, and life will move on.

The 1% will either put up with it, stop using the internet, or leave.

One thing will happen though - the economy will not be ruined.

Generally speaking, since the Cold War ended, these sorts of countries don't mind troublemakers leaving. It's better international PR for them to have 'problem people' leave voluntarily, than to repress them.

For example there's no way for my LG TV to install that root CA, so all that smartness basically rendered useless, unless LG would issue new firmware for that region and I'm not really sure that they would care enough. I bet that there are plenty of devices that would stop working. Think about all those IoT devices. I could imagine some kind of eye surgery laser device to stop working because it can't connect to its Zurich servers to check license. Yes, it won't cause revolution, but there will be a lot of issues.

Thats why I suggest web browsers blacklist this cert that is not apporved by the websites affected.

Perhaps whitelist just the bleu-marine ones?

Does such a certificate compromise non-browser traffic as well? Like SSH tunnels, mobile apps, Telegram etc.

SSH doesn't depend on certificate authorities, it's up to you to manage your own keys, each end point also has a uniquely generated signature which avoids MITM after first time auth (including by taking over domains).

This is a HTTPS only issue and fundamentally it's the same problem as control over domains (ease of manipulation through centralisation).

So that means apps like Instagram are safe to chat in?

Not necessarily.

As far as I know, both the apps you mentioned use HTTPS. However, apps have the option of doing what's called Certificate Pinning.

That's when the application ignore OS/User trust settings about certificates, and just allows a list of hardcoded certificates / certificates signed by a hardcoded CA. Akin to how SSH works (kind of...).

If I remember correctly both Telegram and Instagram have pinned their certificates, which would probably block all network communication but not allow for a MITM attack, even if the user installed the KZ root certificate.

I think all Facebook apps do this, and probably most major apps from big companies. I tried to do some research on what requests the Facebook app was making on my phone and it was pretty difficult to get it to allow me to use Charles proxy (when I installed the cert on my phone the app just stopped working) because of the certificate pinning. The only way this would work is if the government created their own FB, etc. app and somehow distributed it.

I guess you'd have to install the certificate on your phone too. I guess that means that visitors to Kazakhstan won't have internet access during their stay, unless they install the malicious certificate on their phones as well. I really hope this doesn't set a precedent.

Inmarsat offers relatively slow, very expensive satellite Internet uplink services if you really need some connectivity: https://www.inmarsat.com/service/isathub/

Just don't install that certificate. If something stops working, you'll know that they tried to break that channel. If something's working, then it's OK. And if you need things to work, use VPN.

SSH no, mobile apps and telegram probably if they use TLS.

Hopefully Starlink will launch soon. Good luck with a MITM attack on a satellite connection.

Does anyone have ideas, who is the tech vendor?

Russians? Chinese?

They could perfectly well do it themselves.

Hooray for firefox! Why use any other browser?

What about iot and embedded systems?

try ssh tunnel

I would actually be shocked if US agencies can't do the same here almost all the time. There has to be at least one trusted root authority that is controlled by an agency. Do you remember when RSA made a $10 mil deal to give .gov a backdoor back in the day. There is no reason any major US based certificate issuer couldn't do the same, or an employee turned into an asset to sneak it to them, or they just straight hack the places and get certs they can generate anything on. You might be able to detect it by logging the issuer of the cert, the browser doesn't care who auths it as long as it is trusted. It would be odd for most places to have certs issued by multiple authorities.

I blame, in part, TLS 1.3, E-SNI, and DoH for this.

Previously, a government could monitor what site a user is visiting just by looking at the TLS session startup. Even if it is hosted on a cloud provider and 100 different sites are hosted from the same IP, they could look at the TLS-SNI data in the plain text to choose to interrupt and block the connection.

A fallback would be to manipulate DNS queries and force all DNS queries to be directed to official DNS resolvers. But DoH makes that far harder to control.

This is a bluff being called. Tech said "If we make it so that they have to spend all this money and build a massive scale intercept that actively participates in each TLS session, they won't buy into the cost."

Costs keep going down for this sort of thing. Now there are large organizations and governments willing to work on this stuff.

It's probably completely unrelated.

DoH is easy to block. They can look at SNI and cut DoH connections.

Being able to access all the content is far more valuable than hostnames.

We have E-SNI now, where SNI is encrypted. And you have DoH providers who'll use that.

And then massive CDNs will start to support it.

Some of them might even enable it, with encrypted SNI, on _every single listener on all of their IPs_.

DoH was designed to evolve into something nearly unblock able. Unless you active intercept 100%.

Which some people believed no one would pay up for or that it would be unscalable. This stuff only gets cheaper and easier.

Warning: what follows is completely baseless speculation, and let's concede that right off the bat.

Who's to say that this isn't happening in the US as well? The US has invested billions of dollars in dragnet surveillance that is allegedly useless for anything other than metadata in the context of HTTPS.

Is it out of the question to ask whether our secret courts could issue gag orders and claim that national security mandates CA root keys? Such a gag order would only be served to a small group of engineers at large companies, and those engineers would have no right to report on it. We're talking about only a few hundred FISA gag orders, and thousands are served annually. It would make their multibillion dollar infrastructure useful again, wouldn't surprise me if some (unnamed, anonymous) judge bought the argument.

To employees at vulnerable companies, what's your PKI like? Is anyone aware of a company that implements strong multi-party checks on accesses to important private keys? If the NSA wanted your keys, how many employees would need to be served gag orders? Is it on the order of dozens or hundreds?

The larger the conspiracy theory is, the higher the risk that someone will simply decide it's worth whistleblowing on. The whistleblowing could even be effectively done anonymously in this case. Secret Government surveillance of end to end encrypted data in the US would be such a huge news story and public interest that it wouldn't be difficult to find engineers willing to take the risk of anonymously providing evidence of it to the press.

A "few hundred" gag orders placed on engineers about something deeply outrageous sounds completely implausible as lasting secrecy. Secrets simply can't be kept at that scale.

Even NSA employees themselves would eventually refuse to keep such a program secret, as we saw with Snowden.

Earlier this would probably have been a somewhat plausible solution, but not even then for mass scale surveillance.

Assume NSA et. al had access to trusted CA private keys, then they could generate certificates for arbitrary domains which would be trusted by clients. But if they MITM'ed _all_ connections (or even a large portion) surely someone would have noticed, like in the DigiNotar case [0].

But it's even harder (or better) now, with the advent of Certificate Transparency. Since browsers check certificates, periodically, against the CT logs which would fail for forged certificates [1].

However, stealing private keys from companies themselves is a practice that I can imagine happening on a small scale, like the Realtek signing keys for Stuxnet [2]. But doing that on a large scale is not really sustainable.

[0]: https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudule... [1]: https://security.stackexchange.com/questions/190096/how-will... [2]: https://en.wikipedia.org/wiki/Stuxnet#Windows_infection

If the NSA was using their own certificates to MITM all HTTPS traffic it would be easily noticed by security researchers. Its not like they obtain the private keys of every US company. They'd have to make their own replacement certain for every site they wish to intercept. That could easily be noticed by security professionals and targeted companies by monitoring.

What about just for the Alexa 100?

Far too many people would be able to notice. Someone in one of the companies would whistleblow.

But would they? The Snowden leaks were 6 years ago. I am assuming the government didn't just throw up their hands and give up after that...

edit: not to say they are specifically MITM'ing HTTPS widescale.

There are a lot easier ways to exfiltrate data than wholesale breaking TLS encryption and MITM'ing 295+ tbps of domestic traffic. That said, every super power is working on better decryption capabilities.

Event just a single site from the alexa 100 would be too obvious. I'm sure some security researchers and/or companies are already monitoring the certificates issued from major websites for abnormalities.

>Who's to say that this isn't happening in the US as well?

No one can say it because you just claimed it's all secret and can't be proven.



I could of sworn there are instances where root authorities had brush ins with the law, maybe I'm just remembering a theoretical rant I heard somewhere.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact