Google and Mozilla are making changes to their respective web browsers to try and thwart the notoriously corrupt government of Kazakhstan’s efforts to launch a surveillance operation against its own citizens.
Google (Chrome), Mozilla (Firefox), and now Apple (Safari) are all blocking a root certificate from the Kazakhstan government in their browsers which could be used to intercept encrypted traffic that goes to and Facebook, Gmail, Twitter, or any other news or communication app people might be using there.
Google and Mozilla were first to take action. Later today, an Apple spokesperson began telling reporters that Safari is now also blocking the root certificate as well.
“We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue,” said the unnamed Apple spokesperson.
Better late than never, but these moves by US-based tech companies are too late to protect all Kazakh users from harm. The Kazakhstan government launched the root certificate last month, and since then, the government has been able to monitor the encrypted internet activity of any users who installed it.
From Engadget’s Amrita Khalid:
The nation forced ISPs to cooperate by making it mandatory for all customers to install the certificate in order to gain access to the internet.
Turns out that the root certificate was a Trojan Horse. It allowed the Kazakhstan government to perform a “man-in-the-middle” or MitM attack against HTTPS connections to a list of 37 domains, including Facebook, Twitter, Google and more, according to a study published by University of Michigan’s Censored Planet. Normally, HTTPS websites are encrypted in a way that ISPs or governments won’t be able to access it. In the case of Kazakhstan, the MitM attack broke the encryption in these sites, allowing the government to freely spy on private internet activity.
Both the Chrome and Firefox browsers in Kazakhstan will bar the illicit certificate before users can even download it. Mozilla will block Kazakhstan’s root certificate with OneCRL, which Firefox has been using to revoke certificates since 2015. Previously, users who accessed the internet in Kazakhstan received a message on their smartphone or computer asking them to install the root certificate.
Now when Firefox detects the certificate in Kazakhstan, it will instead block the connection and display an error message. “Research shows that many users click through errors without understanding what they mean, leaving them no better off than if there were no warning at all. We believe this is the appropriate response because users in Kazakhstan are not being given a meaningful choice over whether to install the certificate and because this attack undermines the integrity of a critical network security mechanism,” said Mozilla’s Senior Director of Trust & Safety Marshall Erwin in an email to Engadget.
Read more: Google and Mozilla to block web surveillance in Kazakhstan [image: shutterstock]
Apple, Google, and Mozilla block Kazakhstan's HTTPS intercepting certificate in their respective browsers
Measure comes a little too late, as the Kazakh government has stopped using it, but the ban will the root cert from ever being useful againhttps://t.co/wlqSdvjYuP pic.twitter.com/K3oiOWBpGC
— Catalin Cimpanu (@campuscodi) August 21, 2019
Kazakhstan has implemented a new monitoring system that would offer the government access to all web traffic within the country, even encrypted data.
Now, Google, Mozilla, and Apple are adding technical protections to their browsers to fight back. https://t.co/948YTlx4My
— WIRED (@WIRED) August 21, 2019
Updated with statement from Apple https://t.co/F6EaPcN5QI
— Joseph Cox (@josephfcox) August 21, 2019
Update: Apple spox said Safari is blocking the root certificate as well. “We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue.” https://t.co/VDSpPhc3IY
— Amrita Khalid (@askhalid) August 21, 2019