Yesterday, Google Chrome, Mozilla Firefox, and Apple’s Safari browsers started blocking a security certificate previously used by Kazakh ISPs to compromise their users’ security and perform dragnet surveillance. We encourage other browsers to take similar security measures. Since the fix has been implemented upstream in Chromium, it shouldn’t take long for other Chromium-based browsers, like Brave, Opera, and Microsoft’s Edge, to do the same.
What Happened, and Why Is It a Problem?
Back in July, Kazakhtelecom, Kazakhstan’s state telecommunications operator, began regularly intercepting encrypted web (HTTPS) connections. Usually, this kind of attack on encrypted HTTPS connections is detectable and leads to loud and visible browser warnings or other safeguards that prevent users from continuing. These security measures work because the certificate used is not trusted by user devices or browsers.
However, Kazakh ISPs also sent instructions telling users to compromise their own security by manually trusting the certificate on their devices and browsers, bypassing the security checks that are built into most devices.
The two-step of Kazakh ISPs deploying an untrusted certificate, and users manually trusting that certificate allows the ISPs to read and even alter the online communication of any of their users, including sensitive user data, messages, emails, and passwords sent over the web. Research and monitoring from Censored Planet found around 40 domains that were being regularly intercepted, including Google services, Facebook services, Twitter, and VK (a Russian social media site).
The government of Kazakhstan had expressed their intention to perform dragnet surveillance like this in the past, but, following widespread backlash, it failed to act on those statements. Now, it seems the Kazakh authorities were serious about undermining the privacy of their entire country's communications — even if it meant forcing individual Internet users to manually compromise their devices’ own built-in privacy protections.
Earlier this month, Kazakhstan’s National Security Committee stated that Kazakhstan had halted the program. The announcement, along with a tweet from the president of Kazakhstan, called the program a successful pilot, claiming it was mounted to detect and counteract external security threats, even though the government’s actions primarily compromised the security of Kazakhstan’s own citizens. The announcement also stated that the program may be deployed again in the future. Censored Planet’s live monitoring indicate that the system was turned off after the first week of August.
This step by Google, Mozilla, and Apple to block the particular certificate that Kazakh ISPs used for traffic interception prevents the government of Kazakhstan from resuming this invasive program, as well as setting a precedent such that browsers may take similar actions against network attacks of this nature in the future. Without strong pushback, it’s likely that Kazakhstan, or other states, might try to repeat their “pilot,” so we also encourage browser vendors, device manufacturers, and operating systems to improve the warnings and tighten the flow around manually trusting new certificates.
Kazakhstan’s actions were a drastic response to the slowly improving security of end-user devices and end-to-end communication online, but they and other countries could take even more invasive steps. Faced with just a handful of secure browsers, the government could next push their citizens to use a browser that does not currently implement this safeguard. We encourage other browsers to take the same steps and stand in solidarity against the government of Kazakhstan’s decision to compromise the Internet security of their entire population. What’s more, designers of user software should anticipate such intrusive state action in future threat models.