(C) Alec Muffett's DropSafe blog.
Author Name: Alec Muffett
This story was originally published on allecmuffett.com. [1]
License: CC-BY-SA 3.0.[2]


Important History Lesson: the 2019 Kazakhstan Government’s attempt to man-in-the-middle all their citizens’ HTTPS requests

2023-10-31 13:53:44+00:00

For absolutely no reason whatsoever it seems a really good time to remind people of 2019 where the tinpot-totalitarian Kazakhstan government decided that the Internet was so dangerous to their continued existence that it was necessary to spy on all their citizens’ web communication.

They basically said: we will require all Kazakhs to use Web Browsers that trust an official Kazakh “root” (i.e. ultimately trustworthy) SSL/TLS certificate, so that when we want need to spy on them we can just hijack the DNS lookups or TCP traffic for their destination websites to present the victims citizens with a faked-up MITM lawful interception TLS certificate for the destination website.

There are some great articles about it:

…and it’s a cute lesson to help people understand that [even though] the internet is supposedly a distributed technology, there is a lot of centralisation, or centrally-controlled infrastructure, or centrally-subvertible architecture (e.g. TLS, DNS, BGP, …) that can be forcibly perverted by nation-state actors to meet their goals.

And that all nation states — beneficent, liberal, or otherwise — will have those goals.

Of course this happened right around the time when Certificate Transparency (CT) was starting to get some serious adoption; CT is not a silver bullet against this sort of malfeasance, but it does at least offer some architectural resistance to the problem of nation states issuing bogus TLS/SSL certificates in the expectation of not being detected by the end user, or by the internet community at large.

In any case, the Browser vendors bravely blocked demands to insert the root certificates:

On August 21, 2019, Mozilla and Google simultaneously announced that their Firefox and Chrome web browsers would not accept the government-issued certificate, even if installed manually by users. Apple also announced that they would make similar changes to their Safari browser. As of August 2019, Microsoft has so far not made any changes to its browsers, but reiterated that the government-issued certificate was not in the trusted root store of any of its browsers, and would not have any effect unless a user manually installed it. https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_attack

I am frankly surprised that the Kazakh government didn’t try demanding a backdoor into end-to-end encrypted messenger software at the same time; instead it took them a few more years, and a bit more political disruption to get around to internet blocks.

Of course, no civilised nation would attempt to follow the same course nowadays, especially not attempting to backdoor both the top of the stack (HTTPS) and the bottom (E2EE Messengers) at the same time.
[END]

[1] URL: https://alecmuffett.com/article/108117
[2] URL: https://creativecommons.org/licenses/by-sa/3.0/

DropSafe Blog via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/alecmuffett/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.