Apple, Google, Mozilla take steps to block Kazakhstan government surveillance

Posted:
in General Discussion edited August 21
Following moves by Google and Mozilla to block a Kazakhstan government-mandated certificate that facilitated state-sponsored internet surveillance, Apple has done the same in Safari.

Kazakhstan President Kassym-Jomart Tokayev
Kazakhstan President Kassym-Jomart Tokayev


In July, the Kazakhstan National Security Committee said that it was rolling out a government encryption certification to protect citizens from "hacker attacks, online fraud and other kinds of cyber threats." In practice, it was a classic example of a "Man in the middle" attack, that not only allowed the government to read any and all content posted on the internet by the user, it also allowed governmental-sponsored password and credential harvesting.

On Wednesday morning, Apple, Google, and Mozilla made moves to revoke the trusted status of the certificate that the Kazakh ISPs were forced to adopt. Additionally, according to Google and Mozilla, both are introducing "technical solutions" that will prevent the system from functioning in the future.

"Apple believes privacy is a fundamental human right and we design every Apple product from the ground-up to protect personal information," the company said in a statement to AppleInsider and other venues. "We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue."

Reuters reports that Apple hadn't yet taken measures, but AppleInsider has confirmed that the protections have been in place for at least 12 hours.

"People around the world trust Firefox to protect them as they navigate the internet, especially when it comes to keeping them safe from attacks like this that undermine their security," Senior Director of Trust and Security at Mozilla Marshall Erwin said in a statement. "We don't take actions like this lightly, but protecting our users and the integrity of the web is the reason Firefox exists."

Google had a similar response to the matter, saying that "we have implemented protections from this specific issue, and will always take action to secure our users around the world."

The Kazakh government shut down the system on August 7. It said that the roll-out was only a test, and declared that should attacks increase again it could, and would, deploy the system again.

Comments

  • Reply 1 of 10
    razorpitrazorpit Posts: 1,003member
    Apparently, Kazakhstan has a lot less revenue to offer than the Chinese market does. So now we have an upper and lower bracket on the amount of government interference Google allows.
    mac_dogbeowulfschmidtElCapitanlostkiwiwatto_cobraArina14
  • Reply 2 of 10
    razorpit said:
    Apparently, Kazakhstan has a lot less revenue to offer than the Chinese market does. So now we have an upper and lower bracket on the amount of government interference Google allows.
    Insightful. Thanks. 
  • Reply 3 of 10
    gatorguygatorguy Posts: 21,102member
    Following moves by Google and Mozilla to block a Kazakhstan government-mandated certificate that facilitated state-sponsored internet surveillance, Apple has done the same in Safari.

    On Wednesday morning, Apple, Google, and Mozilla made moves to revoke the trusted status of the certificate that the Kazakh ISPs were forced to adopt. Additionally, according to the pair, both are introducing "technical solutions" that will prevent the system from functioning in the future.
    "The pair" in this case refers to Mozilla and Google. 

    A bit more on why this is a huge issue:

    "...browsers implicitly trust certificates that have been locally installed on a user’s computer or smartphone, (and this) behavior raised serious security concerns.

    Once installed, the (Kazakhstan Government's) certificate — used to validate a website’s identity — makes it possible to stage Man in the Middle (MITM) attacks on HTTPS connections. It allows the government to decrypt internet traffic and read whatever a user types or posts, including their passwords."

    “We also strongly encourage anyone who followed the steps to install the Kazakhstan government root certificate to remove it from your devices and to immediately change your passwords, using a strong, unique password for each of your online accounts,” Mozilla cautioned.

    So going forward "the browsers will not trust the certificate even if it has been installed manually — locally installed certificates are normally trusted as they are often needed for development purposes and for internal traffic monitoring in enterprise environments.

    Other than Mozilla's suggestions “No action is needed by users to be protected. In addition, the certificate will be added to a blocklist in the Chromium source code and thus should be included in other Chromium based browsers in due course,” said Andrew Whalley of the Chrome Security team.


    edited August 21 JWSC
  • Reply 4 of 10
    gatorguygatorguy Posts: 21,102member
    razorpit said:
    Apparently, Kazakhstan has a lot less revenue to offer than the Chinese market does. So now we have an upper and lower bracket on the amount of government interference Google allows.
    Ummmm... Google's browser isn't in China. Perhaps you had meant Apple? 
  • Reply 5 of 10
    jbdragonjbdragon Posts: 2,170member
    What is to stop the Kazakhstan government to just get a new certificate? Then hide that fact? They can go even further to require any phone sold in that country to use their own browser. Or already have their own certificate. Whatever it may be to continue to spy on everyone. Maybe require a BACKDOOR into the phone!!!
    watto_cobra
  • Reply 6 of 10
    China’s Great Firewall works differently.  It’s main function is to block content, it also monitors users activity (where they go).  Apple complies with China’s requirement of storing data locally (EU requires the same).  We assume China is combing through the data. The regulations generally are there to protect the users.  For example, the US government could request Microsoft to hand over data on xyz.  If the data is stored in Europe, Europe would need to get involved... It’s a question of sovereignty.

    What Kazakhstan is attempting to do is different.  The “man in the middle” attack is breaking the encryption on the flow of data.  As far as I know it’s unprecedented step by a government.  Apple (etc) wouldn’t allow China to do that either...

    The US government is thought to be doing something similar to what China is doing.  They’re intercepting data for analysis, but not so much the routing of the traffic.  China might block access to Appeinsider.com directly (or Twitter, Facebook, new orgs, etc).  The US and EU would have to go though a legal process of getting the domain removed.  So when a user types in appleinsider.com the browser can’t find the appropriate server that hosts the website.  Users could still access the server directly by typing in the IP address (server location) until the ISP that controls the IP address removes it from their control.  China would just block the IP address directly, from being accessed from within China ...no muss no fuss.  China also controls the DNS servers accessible from with China.  When you try to access appleinsider.com they can sent you somewhere else entirely.

    When the US requests weaker encryption it's closer to what Kazakhstan is doing.  It’s one thing to intercept the data, and another to read the encrypted data.  China, USA, etc. currently have a very difficult time reading encrypted data unless a flaw is found in the encryption algorithm/protocol. TLS is the protocol for a data in motion (traffic) and gets updated to fix issues and strengthen encryption.  Your browser (Safari) says only allow traffic if the TLS version is recent to protect the users.  If you are running and old browser version it might not know about the new TLS version putting you at risk.  

    All the browsers have a trusted list.  Kazakhstan was forcing users to update that list with an certificate that created a backdoor to break the encryption.  No certificate = no internet, from within Kazakhstan unless you use a VPN to get outside of Kazakhstan’s control (local internet).  China can block VPN traffic by analyzing the flow of traffic.  VPN software can change things up to get past the blocking of traffic... it’s a wack-a-mole problem.  So, China’s regulations demands Apple remove VPN software on its App Store.  If Apple didn’t comply China would remove users access to the App Store.

    This isn’t a “Apple likes China more than Kazakhstan issue” it has to comply with local regulations to operate in China (just like anywhere else). What Kazakhstan was attempting was a security issue, essentially breaking the internet, and putting the users at risk.
    edited August 21 lostkiwiJWSCnot_antonviclauyycArina14jony0
  • Reply 7 of 10
    linkmanlinkman Posts: 928member
    So if the govt of Kazakhstan wants to roll their snooping out again using this method what are they left with? A few fringe browsers like Opera? Microsoft's offerings? I suspect that Kazakhstan doesn't have enough clout/market share to require all phones to have some sort of spyware preinstalled -- Apple probably won't cave in. Apple's sales there with a population of 18.5 million is probably small enough to pull out of entirely.
    watto_cobra
  • Reply 8 of 10
    irelandireland Posts: 17,669member
    “Kazakhstan, No. 1 exporter of potassium. All other countries have inferior potassium.”

    ;-)
    edited August 22 watto_cobra
  • Reply 9 of 10
    chasmchasm Posts: 1,667member
    That picture of Kazakhstan President Kassym-Jomart Tokayev makes him look like an embalmed cadaver.
  • Reply 10 of 10
    China’s Great Firewall works differently.  It’s main function is to block content, it also monitors users activity (where they go).  Apple complies with China’s requirement of storing data locally (EU requires the same).  We assume China is combing through the data. The regulations generally are there to protect the users.  For example, the US government could request Microsoft to hand over data on xyz.  If the data is stored in Europe, Europe would need to get involved... It’s a question of sovereignty.

    What Kazakhstan is attempting to do is different.  The “man in the middle” attack is breaking the encryption on the flow of data.  As far as I know it’s unprecedented step by a government.  Apple (etc) wouldn’t allow China to do that either...

    The US government is thought to be doing something similar to what China is doing.  They’re intercepting data for analysis, but not so much the routing of the traffic.  China might block access to Appeinsider.com directly (or Twitter, Facebook, new orgs, etc).  The US and EU would have to go though a legal process of getting the domain removed.  So when a user types in appleinsider.com the browser can’t find the appropriate server that hosts the website.  Users could still access the server directly by typing in the IP address (server location) until the ISP that controls the IP address removes it from their control.  China would just block the IP address directly, from being accessed from within China ...no muss no fuss.  China also controls the DNS servers accessible from with China.  When you try to access appleinsider.com they can sent you somewhere else entirely.

    When the US requests weaker encryption it's closer to what Kazakhstan is doing.  It’s one thing to intercept the data, and another to read the encrypted data.  China, USA, etc. currently have a very difficult time reading encrypted data unless a flaw is found in the encryption algorithm/protocol. TLS is the protocol for a data in motion (traffic) and gets updated to fix issues and strengthen encryption.  Your browser (Safari) says only allow traffic if the TLS version is recent to protect the users.  If you are running and old browser version it might not know about the new TLS version putting you at risk.  

    All the browsers have a trusted list.  Kazakhstan was forcing users to update that list with an certificate that created a backdoor to break the encryption.  No certificate = no internet, from within Kazakhstan unless you use a VPN to get outside of Kazakhstan’s control (local internet).  China can block VPN traffic by analyzing the flow of traffic.  VPN software can change things up to get past the blocking of traffic... it’s a wack-a-mole problem.  So, China’s regulations demands Apple remove VPN software on its App Store.  If Apple didn’t comply China would remove users access to the App Store.

    This isn’t a “Apple likes China more than Kazakhstan issue” it has to comply with local regulations to operate in China (just like anywhere else). What Kazakhstan was attempting was a security issue, essentially breaking the internet, and putting the users at risk.
    Ahhhh...I see it now. So, it isn't like China and Kazakhstan are doing the same thing, and Apple is letting China get away with it. Kazakhstan is essentially doing something very wrong, and Apple is refusing to go along. Thanks for making this much clearer.
Sign In or Register to comment.