Internet giants Google and Mozilla have taken action to block the Kazakhstan government from intercepting the internet traffic of its citizens in what appeared to be an online surveillance scheme.
In July, reports emerged that internet service providers in Kazakhstan had been instructing people to install government-issued certificates across their devices and the browsers or risk losing access to the internet.
This root certificate allows the Kazakh government to intercept and decrypt HTTPS traffic in a ‘man-in-the-middle’, or MitM attack. This includes usernames and passwords and spanned across 37 domains, including Google, Facebook, Twitter and YouTube.
Today, Google and Mozilla said they had deployed “technical solutions” within their Chrome and Firefox browsers to prevent this from happening.
Now, the Chrome or Firefox browser will detect attempts at surveillance and block the connection, as well as displaying a warning.
“People around the world trust Firefox to protect them as they navigate the internet, especially when it comes to keeping them safe from attacks like this that undermine their security,” said Marshall Erwin, senior director of trust and security, Mozilla.
“We don’t take actions like this lightly, but protecting our users and the integrity of the web is the reason Firefox exists.”
Parisa Tabriz, senior engineering director at Google Chrome, said:
“We will never tolerate any attempt, by any organization – government or otherwise – to compromise Chrome users’ data. We have implemented protections from this specific issue, and will always take action to secure our users around the world.”
Mitigating against future internet surveillance
In July, state officials said that the internet surveillance system was to protect Kazakh users from “hacker attacks, online fraud and other kinds of cyber threats”.
But following widespread criticism, Kazakhstan halted its internet surveillance plans, with multiple researchers confirming that decryption attempts are currently halted. This suggests that Mozilla and Google have decided to mitigate against Kazakhstan – or another country – carrying out HTTPS interceptions in future.
Given that Kazakhstan previously attempted to intercept internet traffic of its citizens in 2015, it is not unreasonable to assume that the recent attempt will not be the last.
The State of Technology This Week
Mozilla’s Erwin confirmed to Engadget that while Kazakhstan’s test has ended, those with the bogus certificate still installed could still be vulnerable. Google and Mozilla’s solutions will protect users from this, Erwin said.
A Mozilla spokesperson told Verdict that “Mozilla will revoke the cert using OneCRL. This will be a non-bypassable block.”
Kazakhstan internet surveillance block a “safety belt for users”
Software developer Leonid Evdokimov, one of the researchers who helped to uncover Kazakhstan’s surveillance scheme for Censored Planet, told Verdict that Google and Mozilla’s actions are not an “ultimate answer to the threat” and more of a “harm reduction strategy”.
He described it as “both a publicity and a safety belt for a user”, explaining that a “safety belt does not save you in all possible car incidents, but it reduces the probability of damage”.
Evdokimov added: “The solution, I imagine, is a good move to make users more informed about possible outcomes of trusting a ‘rogue’ Certificate Authority. But educating users is a really complex story and it does not completely eliminate the threat.”
Tim Callan, senior fellow at Sectigo, a certificate authority company, said:
“This threat could have been addressed only at the browser level, and it forced browsers into new territory when considering how to manage their trusted root stores. By taking this stand, Google, Apple and Mozilla join major internet services in declaring they are not simply neutral technology providers but instead have a social responsibility for how their technology offerings are used.”
Erwin told Verdict that the announcement had “been translated into both Russian and Kazakh” to help raise awareness, but that Mozilla did not directly reach out to people in Kazakhstan.
“We were concerned that doing so might put those individuals at risk of retaliation from the Government of Kazakhstan, although people in Kazakhstan may have engaged in the public discussions on Bugzilla and the Google [discussion] group. Today, we have also informed our community through our regular communication channels,” he said.
Erwin added that Mozilla “has not contacted the Kazakhstan government to discuss this issue directly”.
Verdict has reached out to the Kazakhstan government department behind the internet surveillance scheme for comment, but has not had a response at the time of publication.