Kazakhstan Spies on its People via Man-in-the-Middle Attack, Again
The government of Kazakhstan is forcing its citizens to install a spyware root certificate. This will allow authorities to crack open TLS, such as HTTPS traffic to secure websites. And it’s not the first time they’ve pulled this stunt.
The fictional home of Borat (pictured) is not exactly a democratic dreamland. Although there’s an election next month, there’s only one party to vote for.
Kazakhstan is a former-Soviet republic. In today’s SB Blogwatch, “It locate between Tajikistan, and Kyrgyzstan, and ******** Uzbekistan.”
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Very nice.
Please Read: If it not Success, I Will Be Execute
“Jak się masz?” Catalin Cimpanu reports—“Kazakhstan government is intercepting HTTPS”:
Under the guise of a “cybersecurity exercise,” the Kazakhstan government is forcing citizens in its capital … to install a digital certificate on their devices. … Once installed, the certificate would allow the government to intercept all HTTPS traffic.
Kazakhstan users … are not able to access sites like Google, Twitter, YouTube, Facebook, Instagram, and Netflix without installing [it]. This is the Kazakh government’s third attempt at forcing citizens to install root certificates.
Both previous attempts failed after browser makers blacklisted the government’s certificates. … Representatives for major browser makers [said] they will investigate the recent incident and take appropriate measures.
“Naughty, naughty!” Joanna Lillis adds context—“Kazakhstan: Civil society complains of pre-election pressure”:
Civil society groups are describing a wave of coordinated pressure from the government as Kazakhstan prepares for a parliamentary election. … The ruling Nur Otan party is guaranteed to win the election with a landslide in the absence of any opposition.
The government was forced to deny accusations that Internet access problems over previous days were related to the upcoming election. Difficulties accessing websites including Facebook and YouTube occurred because of a planned cyber-security drill, Ruslan Abdikalikov, the chairman of the Information Security Committee, said.
“Kazakhstan number one exporter of potassium, all other countries have inferior potassium.” Руслан Абдикаликов, head of the Information Security Committee of the Ministry of Digital Development, Innovation and Aerospace Industry is lost in translation:
The pandemic has made its own adjustments. These exercises were delayed until the end of the year.
By the end of the year, it became known that elections would be held in Kazakhstan on January 10. I want to assure you that when we planned the exercise, we were not aware of the election date. This has nothing to do with the elections.
“I go to America!” lol768 live there: [That’s enough stupid Borat quotes—Ed.]
There’s a bug open on BugZilla to get this new CA added to OneCRL. [Atlas Ripe] s showing you that, for a v4 connection to twitter.com, probe 6745 is getting back a TLS cert which does not match the cert provided to the majority of other probes. If you expand the row you can see the nation state MitM: notice the O=ISCA, C=KZ.
Déjà vu? Yes, gurps_npc eyerolls, furiously:
Yes, browsers blacklisted them twice before, so lets do it a third time. Surely the people that love privacy and hate our attempt to destroy privacy will give in and not blacklist us again!
The definition of insanity is repeating the same mistakes over and over again and expecting different results.
It feels like there should be a generic way to prevent this. Here’s the Melkman of human kindness:
With DANE TLSA Resource Records you can pin a public key to a website. Alas the implementation of TLSA-RR checking in browsers is dependent on extensions at this time. I wish it was native in browsers with a big red sign when violated.
When done in combination with DNSSEC it’s very hard to fake certificates. Or more precisely asymmetric cryptography key pairs used by servers. Certificates for TLS would not be needed anymore if TLSA-RR’s were standard practice. A company might still use a certificate to attest it’s identity beyond internet domain ownership.
This is for TLSA 3 1 1 and 3 1 2 records. … A lot more is possible with TLSA-RR’s including certificate and CA pinning.
Or I guess you could use a VPN? But AmiMoJo has a better idea:
A more robust option is to use cloud servers as proxies. … They can’t very well block an HTTPS connection to Microsoft’s Azure cloud because it would break loads of sites. … Similarly trying to target people using them would mark half the population as people of interest.
So robert_foss asks the obvious question:
I wonder which Western company sold them the products to do [this]? The majority of surveillance infrastructure is sold by Western companies, Israel in particular being a terrible actor on this space.
Meanwhile, Luckyo has this warning for any Kazakh trying to avoid the spycert:
On the bright side, this is Kazakhstan and not Uzbekistan. So they won’t boil [you] alive for demonstrating subversive tendencies against government policy. They’ll just beat you and your family.
Vacation in Kazakhstan—greatest country in world
Hat tip: f311a
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. Thank you for read my page. I hope you like. Dziękuję.
Image sauce: Michael Bulcik and Jarjar Zanaq (cc:by)