Major tech firms are pushing against Kazakhstan government’s move to forcefully require citizens to install a government-issued certificate in the browser in an attempt to control HTTPs traffic. As a response, Google, Apple, and Mozilla all blocked the certificate to prevent the government from spying on their citizens.
As a response, Chrome, Firefox, and Safari will start to display today on affected browsers an error message stating that the “Qaznet Trust Network” certificate is not a trustworthy network when accessing websites that are allowed by the government-issued CA root.
The Kazakh government has ordered internet service providers to force citizens into installing a government-issued certificate that supposedly polices the HTTPS traffic of citizens. Earlier this year, ISPs in the country started implementing this policy and cut off internet connection of those who don’t have the certificate installed in their computers and advising them to do so in order for them to regain access to their internet.
Law of the Republic of Kazakhstan on Communications, Article 26 and Clause 11 of the Rules for Issuing and Applying a Security Certificate, states that all ISPs are required to monitor the encrypted Internet traffic of their customers using government-issued security certificates. The latest advisory sent to the country’s telecommunication providers is under the most recent amendment on the said legislation which would make it mandatory for users to install government-issued security certificates.
By compelling internet users to install government-issued certificates, the ISPs can generate valid digital certificates for any domain they want to intercept through a user’s HTTPS traffic. By this policy, users will no longer be able to access HTTPS traffic that is not “allowed” by the government.
Aside from policing what citizens can access and cannot access on the internet, the CA is also a way for the Kazakh government to spy on their citizens and track their internet behavior. The root certificate, labeled as “trusted certificate” or “national security certificate,” if installed, allows ISPs to intercept, monitor, and decrypt users’ encrypted HTTPS and TLS connections, allowing the government to spy on its 18 million people and police what content they can and cannot access.
In layman’s terms, installing the government-issued CA will allow the government to decrypt and read all data posted by citizens on popular sites like Facebook, Twitter, and Reddit. The government will also be able to gain access to their sensitive information and intercept passwords.
“When a user in Kazakhstan installs the root certificate provided by their ISP, they are choosing to trust a CA that doesn’t have to follow any rules and can issue a certificate for any website to anyone,” Mozilla explained in a blog post published today.
“This enables the interception and decryption of network communications between Firefox and the website, sometimes referred to as a Monster-in-the-Middle (MITM) attack.”
Furthermore, having the CA root installed will not only allow the government to spy on their citizens but will also expose them to risks of social engineering and other forms of cyberattacks. For one, since users who are yet to install government certificates, they can only access websites without HTTPS connections. This means that the certificate files can be downloaded only from unsecured websites which hackers can exploit and replace the certificate files using MiTM attacks.
Amid the global backlash over the policy, the government of Kazakhstan backpedaled on the policy saying that it is just a test on their efforts to monitor cyber threats and guaranteed that they will never use the technology to spy on their citizens.
However, the three browser companies do not want to risk the potential for government-sponsored espionage using their products. Google said that it would not tolerate any such attempts.
“We will never tolerate any attempt, by any organization—government or otherwise—to compromise Chrome users’ data. We have implemented protections from this specific issue, and will always take action to secure our users around the world,” said Parisa Tabriz, Senior Engineering Director, Chrome.
“No action is needed by users to be protected. In addition, the certificate will be added to a blocklist in the Chromium source code and thus should be included in other Chromium-based browsers in due course,” Google added.
Similarly, Apple commented on the issue and affirmed their position in protecting user privacy from any form of espionage. “Apple believes privacy is a fundamental human right, and we design every Apple product from the ground up to protect personal information. We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue,” Apple’s spokesperson said.