In late July, the government of Kazakhstan attempted to perform a mass man-in-the-middle attack on Kazakh citizens. Users of all Kazakh mobile networks were asked to install a government-issued CA certificate to continue using selected sites such as Google services, Facebook, and Instagram. Under global pressure, the government backed down just a few weeks later, stating that the rollout was “just a test”. However, the damage has already been done. Let’s look at the potential consequences of this on web security in Kazakhstan.
Legal Man-in-the-Middle Attacks
Not all man-in-the-middle cases are attacks performed by blackhat hackers. Actually, most such cases are perfectly legal. However, their “victims” most often don’t even realize that they are victims and don’t understand the potential consequences.
Every case when an additional security certificate is installed on the user’s computer is a man-in-the-middle case. However, in the following cases, this is not the work of a hacker:
- An antivirus/antimalware program may install its own certificate to monitor secure connections for potential threats. This may mean both web connections as well as secure email connections (POP3/IMAP/SMTP over SSL/TLS). In such cases, the user trusts the software manufacturer with all confidential information transmitted via the web and email.
- A company may install its own certificate on an employee’s computer to monitor all work-related communications. In such cases, the user is often not even aware of this fact and even if they are aware, they have no choice but to accept it. While perfectly legal, the ethics of such activity may be perceived as shady.
- An overcontrolling government may require users to install its own certificate to monitor all Internet traffic. In such cases, the government may also block access to all secure connections unless established with this certificate. Less technically-savvy citizens (the majority) do not understand the consequences and blindly follow. Even if they understand what is going on, they have little choice but to accept.
Cases such as the Kazakhstan plan which fits into the third category are rare and are globally recognized as unethical. Cases from the first category are commonplace and not regarded as dangerous because the manufacturers of antivirus/antimalware solutions are perceived as trustworthy. Strangely enough, cases from the second category are more common than we may think and receive next to no backlash, the explanation being: it’s company property and they have the right to do this to their employees.
Custom Certificate Consequences
The direct consequences of installing a custom certificate on your computer are obvious: whoever is in control of the certificate, whoever is the man-in-the-middle, may have access to all encrypted communications. This means your passwords, your bank details, sensitive communications, etc. Basically, everything that you don’t additionally encrypt (for example, using PGP/GPG). However, it’s the indirect consequences that have the biggest impact on web security and security in general.
If a user is asked by the government to install a CA certificate, the same user might just as well be asked by anyone to install a certificate. And that anyone could be a malicious party. Worse than that: if the government blocks secure connections unless established with the installed certificate, the certificate itself must be downloadable from an insecure location. This makes it very easy for a malicious party to perform another man-in-the-middle attack and get the user to install a malicious certificate instead.
Therefore, the Kazakh government that was supposedly trying to increase national security actually exposed the users to a multitude of potential attacks. Malicious parties will try to get users to install a certificate that looks like the official one or to install any other certificate.
Backlash and Protection
The Kazakh government-in-the-middle plan received strong backlash from the rest of the world. So much, that Internet giants decided to make sure that the plan never succeeds:
- On August 21, Google announced that they are blocking the certificate in the next version of Google Chrome and have added it to the Chromium blocklist (which means it will also be automatically blocked in other Chromium-based browsers in the near future, for example in Brave, Opera, and Vivaldi).
- On the same day, Mozilla announced similar steps. Just as in the case of Chrome, Firefox users won’t be able to proceed to pages with the Kazakh certificate.
- Right after the joint action by Google and Mozilla has been announced, Apple also stated that they will protect the users of Safari.
- So far, no news about Internet Explorer is available, so it looks like for the time being it’s the only major browser not to include such protection.
However, while these steps are going to be very effective, the Kazakh government may change their mind again and go ahead with blocking Internet access to those that don’t have the certificate. If so, Kazakh users will effectively lose access to most major sites:
- If they don’t install the certificate, the Kazakh ISPs will block their access to sites.
- If they do install the certificate, browsers will prevent access to those sites (unless Microsoft does not block the certificate later in IE).
- If they try to view the site via HTTP to avoid the need for a certificate, the site will prevent it if it uses HSTS (most major sites do).
Options for Kazakh Users
If the Kazakh government changes its mind again and goes ahead with its initial plan, the only sensible option for Kazakh users to have access to the Internet will be resort to VPN connections and the TOR project. Unfortunately, both these require a higher level of knowledge and VPNs are rarely free. Additionally, a while back Kazakhstan has been trying to make it difficult to use TOR by blocking the torproject.org website.
If the government does not back down, it could be an unending battle with one side trying to provide protection and options (browser manufacturers and third parties) and the other side trying to block all such attempts (for example, by forcing users to use a government-issued browser). The security of users will keep diminishing as such battles will open even more ground for malicious parties to take advantage of the confusion.
*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Tomasz Andrzej Nidecki. Read the original post at: http://feedproxy.google.com/~r/acunetixwebapplicationsecurityblog/~3/ynae0pcfwH0/