Apple, Google, Mozilla take steps to block Kazakhstan government surveillance
Following moves by Google and Mozilla to block a Kazakhstan government-mandated certificate that facilitated state-sponsored internet surveillance, Apple has done the same in Safari.
Kazakhstan President Kassym-Jomart Tokayev
In July, the Kazakhstan National Security Committee said that it was rolling out a government encryption certification to protect citizens from "hacker attacks, online fraud and other kinds of cyber threats." In practice, it was a classic example of a "Man in the middle" attack, that not only allowed the government to read any and all content posted on the internet by the user, it also allowed governmental-sponsored password and credential harvesting.
On Wednesday morning, Apple, Google, and Mozilla made moves to revoke the trusted status of the certificate that the Kazakh ISPs were forced to adopt. Additionally, according to Google and Mozilla, both are introducing "technical solutions" that will prevent the system from functioning in the future.
"Apple believes privacy is a fundamental human right and we design every Apple product from the ground-up to protect personal information," the company said in a statement to AppleInsider and other venues. "We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue."
Reuters reports that Apple hadn't yet taken measures, but AppleInsider has confirmed that the protections have been in place for at least 12 hours.
"People around the world trust Firefox to protect them as they navigate the internet, especially when it comes to keeping them safe from attacks like this that undermine their security," Senior Director of Trust and Security at Mozilla Marshall Erwin said in a statement. "We don't take actions like this lightly, but protecting our users and the integrity of the web is the reason Firefox exists."
Google had a similar response to the matter, saying that "we have implemented protections from this specific issue, and will always take action to secure our users around the world."
The Kazakh government shut down the system on August 7. It said that the roll-out was only a test, and declared that should attacks increase again it could, and would, deploy the system again.
Kazakhstan President Kassym-Jomart Tokayev
In July, the Kazakhstan National Security Committee said that it was rolling out a government encryption certification to protect citizens from "hacker attacks, online fraud and other kinds of cyber threats." In practice, it was a classic example of a "Man in the middle" attack, that not only allowed the government to read any and all content posted on the internet by the user, it also allowed governmental-sponsored password and credential harvesting.
On Wednesday morning, Apple, Google, and Mozilla made moves to revoke the trusted status of the certificate that the Kazakh ISPs were forced to adopt. Additionally, according to Google and Mozilla, both are introducing "technical solutions" that will prevent the system from functioning in the future.
"Apple believes privacy is a fundamental human right and we design every Apple product from the ground-up to protect personal information," the company said in a statement to AppleInsider and other venues. "We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue."
Reuters reports that Apple hadn't yet taken measures, but AppleInsider has confirmed that the protections have been in place for at least 12 hours.
"People around the world trust Firefox to protect them as they navigate the internet, especially when it comes to keeping them safe from attacks like this that undermine their security," Senior Director of Trust and Security at Mozilla Marshall Erwin said in a statement. "We don't take actions like this lightly, but protecting our users and the integrity of the web is the reason Firefox exists."
Google had a similar response to the matter, saying that "we have implemented protections from this specific issue, and will always take action to secure our users around the world."
The Kazakh government shut down the system on August 7. It said that the roll-out was only a test, and declared that should attacks increase again it could, and would, deploy the system again.
Comments
A bit more on why this is a huge issue:
"...browsers implicitly trust certificates that have been locally installed on a user’s computer or smartphone, (and this) behavior raised serious security concerns.
Once installed, the (Kazakhstan Government's) certificate — used to validate a website’s identity — makes it possible to stage Man in the Middle (MITM) attacks on HTTPS connections. It allows the government to decrypt internet traffic and read whatever a user types or posts, including their passwords."
“We also strongly encourage anyone who followed the steps to install the Kazakhstan government root certificate to remove it from your devices and to immediately change your passwords, using a strong, unique password for each of your online accounts,” Mozilla cautioned.
So going forward "the browsers will not trust the certificate even if it has been installed manually — locally installed certificates are normally trusted as they are often needed for development purposes and for internal traffic monitoring in enterprise environments.
Other than Mozilla's suggestions “No action is needed by users to be protected. In addition, the certificate will be added to a blocklist in the Chromium source code and thus should be included in other Chromium based browsers in due course,” said Andrew Whalley of the Chrome Security team.
What Kazakhstan is attempting to do is different. The “man in the middle” attack is breaking the encryption on the flow of data. As far as I know it’s unprecedented step by a government. Apple (etc) wouldn’t allow China to do that either...
The US government is thought to be doing something similar to what China is doing. They’re intercepting data for analysis, but not so much the routing of the traffic. China might block access to Appeinsider.com directly (or Twitter, Facebook, new orgs, etc). The US and EU would have to go though a legal process of getting the domain removed. So when a user types in appleinsider.com the browser can’t find the appropriate server that hosts the website. Users could still access the server directly by typing in the IP address (server location) until the ISP that controls the IP address removes it from their control. China would just block the IP address directly, from being accessed from within China ...no muss no fuss. China also controls the DNS servers accessible from with China. When you try to access appleinsider.com they can sent you somewhere else entirely.
When the US requests weaker encryption it's closer to what Kazakhstan is doing. It’s one thing to intercept the data, and another to read the encrypted data. China, USA, etc. currently have a very difficult time reading encrypted data unless a flaw is found in the encryption algorithm/protocol. TLS is the protocol for a data in motion (traffic) and gets updated to fix issues and strengthen encryption. Your browser (Safari) says only allow traffic if the TLS version is recent to protect the users. If you are running and old browser version it might not know about the new TLS version putting you at risk.
All the browsers have a trusted list. Kazakhstan was forcing users to update that list with an certificate that created a backdoor to break the encryption. No certificate = no internet, from within Kazakhstan unless you use a VPN to get outside of Kazakhstan’s control (local internet). China can block VPN traffic by analyzing the flow of traffic. VPN software can change things up to get past the blocking of traffic... it’s a wack-a-mole problem. So, China’s regulations demands Apple remove VPN software on its App Store. If Apple didn’t comply China would remove users access to the App Store.
This isn’t a “Apple likes China more than Kazakhstan issue” it has to comply with local regulations to operate in China (just like anywhere else). What Kazakhstan was attempting was a security issue, essentially breaking the internet, and putting the users at risk.
;-)