The dictatorship forces the public to introduce a government-certified root certificate, confirming an man-in-the-middle attack by an ISP


by TheDigitalArtist

In Kazakhstan, known for its one-party dictatorship, the government has been obligated to install a government-certified root certificate since 2016. However, when this root certificate was introduced, it was criticized that the encrypted HTTPS communication could be intercepted by the government. On July 18, 2019, some users reported that a man- in-the- middle attack that intercepted HTTPS communication was actually being conducted from Kazakhstan at the Mozilla forum where Firefox was developed.

1567114-MITM on all HTTPS traffic in Kazakhstan
https://bugzilla.mozilla.org/show_bug.cgi?id=1567114


If you follow the signature of the certificate that the browser determines to be secure, you will arrive at the root certificate installed in the browser and OS. While the root certificate proves the server's SSL certificate, there is nothing that proves the correctness of the root certificate itself. For example, in Firefox, the browser verifies whether the root certificate is trustworthy based on the registration list created by Mozilla.

If an untrusted root certificate is authenticated, the security of encrypted SSL communication will also be shaken. In the past, it was a big problem as the advertisement company Superfish pre-installed on the Lenovo PC and the advertisement was displayed on the page where the self-signed root certificate was encrypted.

Dell laptop PC has the same root certificate & private key and may be subject to man-in-the-middle attacks-gigazine


An Internet service provider (ISP) in Kazakhstan sent a notice to users that “From January 1, 2016, a root certificate certified by the Kazakh government must be installed”. The following email is an email prompting installation, and “http://qca.kz” in the text is the URL of the site that distributes the root certificate of the Kazakh government certification.


In 2015, the government of Kazakhstan applied for Mozilla to register a government-certified root certificate in the list.

1232689-Add Root Certification Authority of the Republic of Kazakhstan (root.gov.kz)
https://bugzilla.mozilla.org/show_bug.cgi?id=1232689


In Kazakhstan, where the domestic penetration rate of the Internet exceeds 70%, the Internet is legally defined as “mass media”, and the behavior of SNS such as Facebook and Twitter is interpreted as the same level of information transmission as newspapers and television. For this reason, all information transmitted by the public on the Internet is subject to strict censorship by the government. If an ISP in Kazakhstan compels the root certificate issued by the government of Kazakhstan, the end user PC in Kazakhstan will always include the root certificate issued by the government, allowing man-in-the-middle attacks to forcibly intercept HTTPS communications It will become.

The risk of man-in-the-middle attacks by the government was already pointed out in 2016.

Nation State MITM CA's?-Google Groups
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wnuKAhACo3E


On July 19, 2019, a user named Eugene revealed in the Mozilla forum that he was under attack from Kazakhstan. The following screen shot is evidence that shows that access to Facebook is via Kazakhstan (KZ) for some reason. According to a post submitted to HackerNews, this man-in-the-middle attack was by an ISP in Kazakhstan, and an unrelated advertisement pop-up window was sometimes displayed.


According to the Tengrinews is a Kazakhstan of technology-based media, the capital of Kazakhstan Nursultan communication failure that is reported from the part of the (former Astana) is to protect 'the citizen-government organizations and private companies from threats such as hacker attacks and fraudsters The government of Kazakhstan recommends that a government-certified root certificate be installed again.

Специальный сертификат попросили установить на смартфоны казахстанцев-новости интернет–индустрии |
https://tengrinews.kz/internet/spetsialnyiy-sertifikat-poprosili-ustanovit-smartfonyi-374216/


Eugene says, “Kazakhstan government-certified root certificate should be blacklisted by Mozilla and Firefox should not accept Kazakhstan government-certified root certificate even if it is manually installed” .

In addition, Eugene argues that `` If you accept this precedent, all efforts of the HTTPS protocol to realize encrypted communication will be wasted, so Mozilla and Google should immediately intervene '' . He pointed out that many other governments could conduct man-in-the-middle attacks on the public if the government of Kazakhstan succeeded in intercepting encrypted communications by misusing the root certificate of government authentication .

・ Continued
Announced that Google and Mozilla will block the root certificate certified by the dictatorship-GIGAZINE

in Security, Posted by log1i_yk