Apple, Google, Microsoft, and Mozilla Ban Kazakhstan's MitM HTTPS Certificate (zdnet.com) 45
Browser makers Apple, Google, Microsoft, and Mozilla, have banned a root certificate that was being used by the Kazakhstan government to intercept and decrypt HTTPS traffic for residents in the country's capital, the city of Nur-Sultan (formerly Astana). From a report: The certificate had been in use since December 6, 2020, when Kazakh officials forced local internet service providers to block Nur-Sultan residents from accessing foreign sites unless they had a specific digital certificate issued by the government installed on their devices. While users were able to access most foreign-hosted sites, access was blocked to sites like Google, Twitter, YouTube, Facebook, Instagram, and Netflix, unless they had the certificate installed. Kazakh officials justified their actions claiming they were carrying out a cybersecurity training exercise for government agencies, telecoms, and private companies. Officials cited that cyberattacks targeting "Kazakhstan's segment of the internet" grew 2.7 times during the current COVID-19 pandemic as the primary reason for launching the exercise. The government's explanation did, however, make zero technical sense, as certificates can't prevent mass cyber-attacks and are usually used only for encrypting and safeguarding traffic from third-party observers. After today's ban, even if users have the certificate installed, browsers like Chrome, Edge, Mozilla, and Safari, will refuse to use them, preventing Kazakh officials from intercepting user data.
Re: (Score:2)
Re:This is why we should be using FOSS browsers (Score:5, Informative)
No one who really understands tech seriously wants Apple to install back doors in its tech for various spooks. This is the same thing. The oppressive governments are trying to regulate an industry in ways that is not in the interest of the people being governed. Sometimes the industries are obscure and the issues complex. Luckily, with tech, that isn't the case, and the pushback can be loud and withstand the governments attacks on security.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
While I'm glad that did, I agree with the OP.
That's because you're clueless. Certificate based security systems inherently rely on a method of revocation. I.e. SSL would be fundamentally broken if the ability to revoke a misused certificate did not exist. This is a misused certificate.
If you agree with the OP I highly suggest reading up on how SSL works and the fundamental checks and balances that the system built around it has to ensure *your* security.
Re:This is why we should be using FOSS browsers (Score:5, Informative)
These companies should not have the power to do this.
Why the heck not? Google/etc's actions are protecting the security integrity of TLS.
Even if they were... FOSS TLS clients still require root Trusted Root Certificate Infrastructure, because that's how the protocol works,
And per the standards.. In case you were unaware: Root CAs also have the ability to sign and Issue Certificate Revocation lists browsers are expected to load and use, very much in the same way that CAs sign and issue certificates. It is USUALLY used to revoke a certificate signed by the same CA, but Certificate Authorities also have the power to include Certificates from other Authorities, and even other Root Authorities in their Certificate Revocation list - if major funny business is afoot, then it makes sense for the Centrally Trusted authorities to take actions to block rogue certs and indeed... Rogue Intermediates and Rogue roots as well..
Also, In case you were unaware... Mozilla and Chromium are OSS projects.
99% of End users are Non-Technical and will not be building their software from source code.
Re: (Score:3)
How about because Kazakhstan has a nominally democratic government, that has enacted rules governing its people. While I think you could make an argument that outside organizations can and perhaps should take exception to polices that run counter to their own values (specific the value of their own nation), with the possible exception of Mozilla the players here are extremely hypocritical.
If Google, Microsoft, and the others took a consistent stance again censorship and privacy rights online I might feel di
Re: (Score:1)
Because many are FORCED use Google et al. It's that or death isn't it.
Imagine a world where you didn't actually have to use the internet to live. Amazingly you can still do exactly that. Amazingly we lived fine before the internet and trolls. So I guess that it's not really an issue for those people. The only box is a perceived one. Don't use the internet.
Re: (Score:1)
Any large organization is going to have split personalities as there are many leaders all responsible for different thin
Re: (Score:2)
Re: (Score:3)
How about because Kazakhstan has a nominally democratic government, that has enacted rules governing its people.
The government's supposed system for electing its rulers cannot justify tyranical actions of any kind - It does not matter if you have a direct democracy or what: human rights are human rights.
Spying on citizens' web browsing and private communications, and attempts to backdoor their cryptography are such actions are inherently evil, regardless of what you think of their form of government, a
Re: (Score:2)
LOL. Weird way to spell "countries."
Pro tip: whoever initiates force is the bad guy. That's not Apple, Google, Microsoft, or Mozilla.
Re: (Score:3)
So you are saying they don't have the right to make an app they wrote themselves and distribute for free from their servers do whatever they damned well please? Give me a break.
If I really stretch, I can imagine a world where you might have a point. It would be a world were the Internet is an essential utility like it is now, but a sole company controlled produced the black box, closed source software used to access it. What we is the reverse of that.
Re: (Score:1)
Re: (Score:2)
The SSL infrastructure literally requires these companies to be able to do this. Certificate revocation was a core part of the security infrastructure as designed. Get a clue.
Block the updates? (Score:2)
Re: (Score:3)
If the government has already wedged itself in the middle, then what keeps them from blocking / manipulating the updates that are designed to cause their certificate to become untrusted?
Remember the big shouting that went on when Apple checked that apps had valid certificates and their servers ran out of steam? Whenever a root certificate is used, iOS (and I would assume all the others as well) will check that the certificate is not revoked. You can block the revocation check of course; in that case it's assumed that the certificate is revoked.
Rich people won't give up their iPhones (Score:2)
So this is end of line, they could force sideloading of modified browsers everywhere else but on iPhones they are out of options. Only the US government and governments with enough economic power to matter can force Apple into compromise.
Re: (Score:2)
So this is end of line, they could force sideloading of modified browsers everywhere else but on iPhones they are out of options. Only the US government and governments with enough economic power to matter can force Apple into compromise.
It's not part of the browser actually; that's just a simplification for laypeople. It's in the http / https download code (which isn't used just by browsers).
Re: (Score:2)
Or its exactly what certain anti-democratic leadership there wants.
What a perfect way to cut the public off from social media and the ability to give non-state sanction perspectives to the rest of the world. Require TLS interception to 'fight terrorism' or whatever. Sit back and watch self-righteous sillyvalley tech crowd predictable lock out your cert. Leave the law in place.
Now you have effectively banned social media without banning social media making your position domestically acceptable, but everyone
Hey Apple, Google, and Microsoft.... (Score:5, Interesting)
Re: (Score:3, Insightful)
Don't get too excited, they are only doing this because it's in their own interest. You think any of them give a shit about human rights? I've seen the deals they've made and all the evidence points to the fact that they really do not care about people. Then again, when you high five Apple, ask about why they trying to stop the crackdown on literal human slavery.
Re: (Score:2)
Sorry why do you think this has anything to do with human rights? They are doing this because it's their job to revocate certificate authorities from bad actors. That's how SSL / TSL works. No need to give a fuck about the Kazakhs or their rights, or your silly irrelevant concept that has nothing at all to do with ensuring that certificates are not used for MITM attacks.
Re: (Score:2)
They are doing this because it's their job to revocate certificate authorities from bad actors. That's how SSL / TSL works.
Umm... did you misread? Did you think that wasn't the very point I was making?
Re: (Score:2)
No I'm asking you why the fuck you brought up human rights at all. Literally no one is talking about this in this thread.
You frame your comment as a negative. The reality is it's not negative, and not positive, but completely fucking irrelevant. Go push your agenda somewhere else.
Re: (Score:2)
You should really try harder to connect the dots between the original post and my reply. If you cannot see how they are related that's fine but they are related nonetheless. Good day, sir.
Ooh boy (Score:1)
And it ain't like any of these companies can point to a universal respect for freedom of communication as even a figleaf to hide behind given their acquiescence to places like China.
I hope we're all doing this with our eyes open and not sleepwalking into something we're not prepared for.
Re: (Score:2)
Actually that is an interesting point too. Pompeo should presser to DOJ to start of last min Logan Act cases against these guys. That would be an interesting test case for the law, and good step to reining in these transnationals that think beyond the reach of US law.
Re: (Score:1)
Re: Ooh boy (Score:1)
Re: (Score:2)
The ACT makes it illegal for citizens for engage in foreign policy.
A good question is where is the line between conducting commerce an policy. 1A probably offers some protection in terms of choosing not do business with actors you don't like. So you can say I wont sell my phone unlocking tools to the DPRK because I think they would use to target reformers.
However what isn't exactly what is happening here. These companies are not refusing to do business, but rather modifying their systems and practices to i
Do China next (Score:4, Funny)
For those who don't get the joke... (Score:1)
The Chinese Communist party is far more evil than the government of Kazakhstan. Yet, Big Tech often does the CCP's bidding, because $.
Re: (Score:2)
Just kidding.
Do what to China? China isn't abusing SSL in any way that would allow a company to do something about it. Do you propose Google send a spec ops team into China in the middle of the night and unplug their firewall?
On one hand (Score:2, Interesting)
Re: (Score:2)
Kazakhstan could just create a new cert and get back to only being untrusted... but that new cert would probably get banned quickly too. It should be possible for Kazakhstan to generate a new root cert per citizen, but the Mitm computations would be higher since each proxy would need to have access
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
I applaud them for no longer trusting the certificates but on the other, it doesn't really change a whole lot. The users will probably click "visit this site anyway" and proceed.
I'm not sure why you would think that given this very action has actually reversed the Kazakhs government's attempts to force these certificates down the throats of their people twice before with perfect effect.
All the other CA certificates: (Score:1)
Still perfectly fine for MITM because Godkings Mozilla and Google told you you are to trust them. --.--
Talk about a shared mass-cognitive-dissonance.