Kazakhstan man-in-the-middle attack

From HandWiki
Short description: State-actor security exploit by the government of Kazakhstan

In 2015, the government of Kazakhstan created a root certificate which could have enabled a man-in-the-middle attack on HTTPS traffic from Internet users in Kazakhstan. The government described it as a "national security certificate". If installed on users' devices, the certificate would have allowed the Kazakh government to intercept, decrypt, and re-encrypt any traffic passing through systems it controlled.[1][2]

In July 2019, Kazakh ISPs started messaging their users that the certificate, now called the Qaznet Trust Certificate,[3] issued by the state certificate authority the Qaznet Trust Network, would now have to be installed by all users.[4][5]

Sites operated by Google, Facebook and Twitter appeared to be among the Kazakh government's initial targets.[6]

On August 21, 2019, Mozilla and Google simultaneously announced that their Firefox and Chrome web browsers would not accept the government-issued certificate, even if installed manually by users.[7][8] Apple also announced that they would make similar changes to their Safari browser.[6] (As of August 2019), Microsoft has so far not made any changes to its browsers, but reiterated that the government-issued certificate was not in the trusted root store of any of its browsers, and would not have any effect unless a user manually installed it.[9]

In December 2020, the Kazakh government attempted to re-introduce the government-issued root certificate for a third time.[10] In response to this, browser vendors again announced that they would block any such attempt by invalidating the certificate in their browsers.[11]

References

  1. Nurmakov, Adil (2015-12-05). "Experts Concerned Kazakhstan Plans to Monitor Users' Encrypted Traffic" (in en). https://digital.report/experts-concerned-kazakhstan-plans-to-monitor-users-encrypted-traffic/. 
  2. Nichols, Shaun (3 Dec 2015). "Is Kazakhstan about to man-in-the-middle diddle all of its internet traffic with dodgy root certs?" (in en). https://www.theregister.co.uk/2015/12/03/kazakhstan_to_maninthemiddle_all_internet_traffic/. 
  3. "Kazakh government will intercept the nation's HTTPS traffic" (in en). https://www.itpro.co.uk/go/34051. 
  4. Afifi-Sabet, Keumars (19 July 2019). "Kazakh government will intercept the nation's HTTPS traffic" (in en). https://www.itpro.co.uk/go/34051. 
  5. Raman, Ram Sundara; Evdokimov, Leonid; Wustrow, Eric; Halderman, Alex; Ensafi, Roya (July 23, 2019). "Kazakhstan's HTTPS Interception". University of Michigan. https://censoredplanet.org/kazakhstan. 
  6. 6.0 6.1 Paris, Martine (2019-08-21). "Google and Mozilla block Kazakhstan root CA certificate from Chrome and Firefox" (in en-US). https://venturebeat.com/2019/08/21/google-and-mozilla-block-kazakhstan-root-ca-certificate-from-chrome-and-firefox/. 
  7. Thayer, Wayne (2019-08-21). "Protecting our Users in Kazakhstan" (in en-US). https://blog.mozilla.org/security/2019/08/21/protecting-our-users-in-kazakhstan/. 
  8. Whalley, Andrew (2019-08-21). "Protecting Chrome users in Kazakhstan" (in en). https://security.googleblog.com/2019/08/protecting-chrome-users-in-kazakhstan.html. 
  9. Brodkin, Jon (2019-08-21). "Google, Apple, and Mozilla block Kazakhstan government's browser spying" (in en-us). https://arstechnica.com/tech-policy/2019/08/chrome-firefox-and-safari-updated-to-block-kazakhstan-government-spying/. 
  10. Cimpanu, Catalin. "Kazakhstan government is intercepting HTTPS traffic in its capital" (in en). ZDNET. https://www.zdnet.com/article/kazakhstan-government-is-intercepting-https-traffic-in-its-capital/. 
  11. Moon, Mariella (2020-12-18). "Tech giants will block Kazakhstan's web surveillance efforts again" (in en). Engadget. https://www.engadget.com/tech-giants-browsers-block-kazakhstan-web-surveillance-080031499.html.