Kazakhstan tries and fails to MITM all of its internet users with rogue certificate installation

On July 17th, 2019, the government of Kazakhstan enacted a new cybersecurity measure that aims to spy on its citizens’ internet traffic. Specifically, the Kazakh government ordered all of the internet service providers (ISPs) to force their customers to install a government-issued root certificate by Qaznet Trust Network on all of their internet accessing devices. If installed, this MITM cert allows the government to intercept, decrypt, analyze, then re-encrypt all browser encrypted HTTPS traffic in a country wide man-in-the-middle (MITM) attack. Since Wednesday, Kazakh internet users have been redirected to instructional pages asking them to install the new certificate. Forcing all of Kazakhstan’s internet through one government issued certificate is a gargantuan privacy issue, but it is also a security issue. Any hacker that gets control of the Quaznet domain will be able to view the supposedly encrypted personal information from Kazakh internet users. Passwords, usernames, credit card information, all of it would be available unencrypted in such a scenario.

To their credit, a Kazakh official clarified on July 19th, 2019 that the installation of the certificate was voluntary and not a prerequisite to accessing the internet.

Officials from the Ministry of Digital Development, Innovation and Aerospace stated that the new rule was “aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats,” but that clearly doesn’t seem to be the case. Messaging on the MITM cert install page by one Kazakh service provider, Kcell, specified what some of those “other types of cyber threats” just might be:

“A security certificate is a set of electronic digital symbols used to pass traffic that contains protocols that support encryption. Thus, it will allow Kazakhstani Internet users to be protected from hacker attacks and viewing illegal content.”

The notice-to-be-mitm also specifies that Linux users are exempt from downloading this rogue cert:

“[…] the installation of a security certificate must be performed from each device that will be used to access the Internet (mobile phones and tablets based on iOS / Android, personal computers and laptops based on Windows / MacOS).”

The privacy and cryptography community online has responded with a particular uproar. MITM attacks by ISPs are bad enough when it’s done by the ISP for economic gain reasons. When it’s ordered by a government which overseas millions of citizens, it is a look into the future dystopia. If Kazakhstan succeeds in this, the country will join North Korea in a short list of countries that have more of an intranet than an internet. The real fear, which Dr. Green articulates concisely, is the thought of tech-illiterate politicians in democratic governments around the world salivating at the mouth while considering Kazakhstan’s new internet policy as a good one.

This is the future all those cypherpunks warned us about. Let’s hope the West sees the danger, and doesn’t look on with admiration.

— Matthew Green (@matthew_d_green) July 19, 2019

A state entity is trying to MITM its citizens… How will internet browsers react?

Will browsers ban this certificate, even if it isn’t mandatory, essentially disabling the ability for the Kazakh government and ISPs to spy on Kazakh citizens? Or will they allow this certificate to be and show some sort of persistent warning instead? Some believe that this is no different than internet access as exists in some managed, corporate settings.

One commenter on the Mozilla (Firefox) bugthread has a passionate plea to the former with the argument that only by taking the nuclear approach and blocking Kazakhstan’s MITM cert will the wider internet community be able to stop Kazakhstan from achieving its goal of intercepting all HTTPS traffic within the country. Allegedly, the threat of this is what caused the government to back down on this same plan in 2016.

I am a citizen of Kazakhstan. If Mozilla/Google Chrome developers see this message,I kindly ask you to consider blocking the above mentioned certificate and any access to your browsers for the certificate holders. If this certificate didn’t pass Web trust audit, it can be the same as presented in 2016. So blocking it from the major world browsers is the only chance for kazakhs to avoid MITM attacks and keep at least some privacy rights (meaning that if blocked/blacklisted, the government will have to call back the certificate as it was done in 2016). […] If the certificate is not blacklisted, but only the visual message will pop up warning users about untrusted certificate – it will not help since majority of citizens (especially elderly ones) simply will not pay enough attention to such [a] message.

Since 2016, the Kazakh officials have added language that allows for exceptions to their MITM plan that graciously “allows” for encrypted traffic to bypass this MITM. The commenter also noted that the government does feel that they have bypassed the issues from their last rollout of their countrywide MITM attack:

The request to install the certificate is distributed via sms (as of now – only to the capital’s citizens). The last change in the law that the officials are referring to was done in December 2017. Clause 3-1, subclause 4) says that “Providers of international network are required to …4) to pass traffic using protocols that support encryption via security certificates, with the exception of traffic that was encrypted in Kazakhstan by cryptographic tools for data security”.

If browsers blacklist the certificate, and in essence take the stance that they will not let the Kazakh government spy on its citizens using their software, it’s possible that the Kazakh government will back down; however, it’s also possible that the Kazakh government might just force Kazakh ISPs to encourage the use of a state run browser – which would likely be forked from Chromium or Firefox anyways. This issue, as articulated by Matthew Hardeman in the corresponding email listserv discussion, leads to different a scenario where Kazakh citizens have both their privacy and security violated.

What ends up happening at the browser level is still unclear – all the large industry stakeholders such as Microsoft, Mozilla, and Google are all discussing the issue in earnest but nothing has been decided as of yet. In the meantime, Kazakh internet users need to protect themselves by encrypting their internet traffic themselves and avoiding the installation of this certificate at all costs – possibly by switching to Linux. Even if the certificate isn’t necessary to access the internet, many Kazakh internet users will get that impression from the language presented by their ISPs.