Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Google Microsoft Mozilla Privacy Security Apple

Apple, Google, Microsoft, and Mozilla Ban Kazakhstan's MitM HTTPS Certificate (zdnet.com) 45

Browser makers Apple, Google, Microsoft, and Mozilla, have banned a root certificate that was being used by the Kazakhstan government to intercept and decrypt HTTPS traffic for residents in the country's capital, the city of Nur-Sultan (formerly Astana). From a report: The certificate had been in use since December 6, 2020, when Kazakh officials forced local internet service providers to block Nur-Sultan residents from accessing foreign sites unless they had a specific digital certificate issued by the government installed on their devices. While users were able to access most foreign-hosted sites, access was blocked to sites like Google, Twitter, YouTube, Facebook, Instagram, and Netflix, unless they had the certificate installed. Kazakh officials justified their actions claiming they were carrying out a cybersecurity training exercise for government agencies, telecoms, and private companies. Officials cited that cyberattacks targeting "Kazakhstan's segment of the internet" grew 2.7 times during the current COVID-19 pandemic as the primary reason for launching the exercise. The government's explanation did, however, make zero technical sense, as certificates can't prevent mass cyber-attacks and are usually used only for encrypting and safeguarding traffic from third-party observers. After today's ban, even if users have the certificate installed, browsers like Chrome, Edge, Mozilla, and Safari, will refuse to use them, preventing Kazakh officials from intercepting user data.
This discussion has been archived. No new comments can be posted.

Apple, Google, Microsoft, and Mozilla Ban Kazakhstan's MitM HTTPS Certificate

Comments Filter:
  • If the government has already wedged itself in the middle, then what keeps them from blocking / manipulating the updates that are designed to cause their certificate to become untrusted?
    • If the government has already wedged itself in the middle, then what keeps them from blocking / manipulating the updates that are designed to cause their certificate to become untrusted?

      Remember the big shouting that went on when Apple checked that apps had valid certificates and their servers ran out of steam? Whenever a root certificate is used, iOS (and I would assume all the others as well) will check that the certificate is not revoked. You can block the revocation check of course; in that case it's assumed that the certificate is revoked.

  • So this is end of line, they could force sideloading of modified browsers everywhere else but on iPhones they are out of options. Only the US government and governments with enough economic power to matter can force Apple into compromise.

    • So this is end of line, they could force sideloading of modified browsers everywhere else but on iPhones they are out of options. Only the US government and governments with enough economic power to matter can force Apple into compromise.

      It's not part of the browser actually; that's just a simplification for laypeople. It's in the http / https download code (which isn't used just by browsers).

    • by DarkOx ( 621550 )

      Or its exactly what certain anti-democratic leadership there wants.

      What a perfect way to cut the public off from social media and the ability to give non-state sanction perspectives to the rest of the world. Require TLS interception to 'fight terrorism' or whatever. Sit back and watch self-righteous sillyvalley tech crowd predictable lock out your cert. Leave the law in place.

      Now you have effectively banned social media without banning social media making your position domestically acceptable, but everyone

  • by dfn5 ( 524972 ) on Monday December 21, 2020 @04:00PM (#60854760) Journal
    High Five
    • Re: (Score:3, Insightful)

      by Gravis Zero ( 934156 )

      Don't get too excited, they are only doing this because it's in their own interest. You think any of them give a shit about human rights? I've seen the deals they've made and all the evidence points to the fact that they really do not care about people. Then again, when you high five Apple, ask about why they trying to stop the crackdown on literal human slavery.

      • Sorry why do you think this has anything to do with human rights? They are doing this because it's their job to revocate certificate authorities from bad actors. That's how SSL / TSL works. No need to give a fuck about the Kazakhs or their rights, or your silly irrelevant concept that has nothing at all to do with ensuring that certificates are not used for MITM attacks.

        • They are doing this because it's their job to revocate certificate authorities from bad actors. That's how SSL / TSL works.

          Umm... did you misread? Did you think that wasn't the very point I was making?

          • No I'm asking you why the fuck you brought up human rights at all. Literally no one is talking about this in this thread.

            You frame your comment as a negative. The reality is it's not negative, and not positive, but completely fucking irrelevant. Go push your agenda somewhere else.

            • You should really try harder to connect the dots between the original post and my reply. If you cannot see how they are related that's fine but they are related nonetheless. Good day, sir.

  • American private companies are deliberately acting against a foreign government.

    And it ain't like any of these companies can point to a universal respect for freedom of communication as even a figleaf to hide behind given their acquiescence to places like China.

    I hope we're all doing this with our eyes open and not sleepwalking into something we're not prepared for.
    • by DarkOx ( 621550 )

      Actually that is an interesting point too. Pompeo should presser to DOJ to start of last min Logan Act cases against these guys. That would be an interesting test case for the law, and good step to reining in these transnationals that think beyond the reach of US law.

      • How does this involve the US government? The Logan act criminalizes negotiating on behalf of the US government.
        • If I stood on the Canadian border and started shooting north, the US government would become involved.
        • by DarkOx ( 621550 )

          The ACT makes it illegal for citizens for engage in foreign policy.

          A good question is where is the line between conducting commerce an policy. 1A probably offers some protection in terms of choosing not do business with actors you don't like. So you can say I wont sell my phone unlocking tools to the DPRK because I think they would use to target reformers.

          However what isn't exactly what is happening here. These companies are not refusing to do business, but rather modifying their systems and practices to i

  • by TheNameOfNick ( 7286618 ) on Monday December 21, 2020 @04:21PM (#60854802)
    Just kidding.
    • by Anonymous Coward

      The Chinese Communist party is far more evil than the government of Kazakhstan. Yet, Big Tech often does the CCP's bidding, because $.

    • Just kidding.

      Do what to China? China isn't abusing SSL in any way that would allow a company to do something about it. Do you propose Google send a spec ops team into China in the middle of the night and unplug their firewall?

  • On one hand (Score:2, Interesting)

    by ddtmm ( 549094 )
    I applaud them for no longer trusting the certificates but on the other, it doesn't really change a whole lot. The users will probably click "visit this site anyway" and proceed. What's even more unfortunate is that they can permanently allow the untrusted certificates so that they no longer get the popup warnings in the future. This is sad in the long run though because people simply get used to trusting untrustable certs
    • Nope, the browsers are flat out refusing this cert now. Kazakhstan's gov was trying to get everyone to install the cert and mark it as trusted, but now no major browser will load requests signed with the cert.

      Kazakhstan could just create a new cert and get back to only being untrusted... but that new cert would probably get banned quickly too. It should be possible for Kazakhstan to generate a new root cert per citizen, but the Mitm computations would be higher since each proxy would need to have access
      • As was pointed out in a previous post, they could build their own browser. And then require ISPs not to carry any traffic that they can't MITM. China has proven that, with enough determination, you can build a fairly effective firewall. Kazhakhstan is a nominally democratic country that (at one point) wanted to join the EU. So they may not wish to escalate. But that doesn't mean it's not possible.
        • China flat out blocks Google/Facebook/whoever and does targeted MITM which is often/usually detected. That is actually far less-intrusive and far safer than what Kazakhstan was trying here.
    • I applaud them for no longer trusting the certificates but on the other, it doesn't really change a whole lot. The users will probably click "visit this site anyway" and proceed.

      I'm not sure why you would think that given this very action has actually reversed the Kazakhs government's attempts to force these certificates down the throats of their people twice before with perfect effect.

  • Still perfectly fine for MITM because Godkings Mozilla and Google told you you are to trust them. --.--

    Talk about a shared mass-cognitive-dissonance.

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...