Kazakhstan man-in-the-middle attack

Last updated

In 2015, the government of Kazakhstan created a root certificate which could have enabled a man-in-the-middle attack on HTTPS traffic from Internet users in Kazakhstan. The government described it as a "national security certificate". If installed on users' devices, the certificate would have allowed the Kazakh government to intercept, decrypt, and re-encrypt any traffic passing through systems it controlled. [1] [2]

In July 2019, Kazakh ISPs started messaging their users that the certificate, now called the Qaznet Trust Certificate, [3] issued by the state certificate authority the Qaznet Trust Network, would now have to be installed by all users. [4] [5]

Sites operated by Google, Facebook and Twitter appeared to be among the Kazakh government's initial targets. [6]

On August 21, 2019, Mozilla and Google simultaneously announced that their Firefox and Chrome web browsers would not accept the government-issued certificate, even if installed manually by users. [7] [8] Apple also announced that they would make similar changes to their Safari browser. [6] As of August 2019, Microsoft has so far not made any changes to its browsers, but reiterated that the government-issued certificate was not in the trusted root store of any of its browsers, and would not have any effect unless a user manually installed it. [9]

In December 2020, the Kazakh government attempted to re-introduce the government-issued root certificate for a third time. [10] In response to this, browser vendors again announced that they would block any such attempt by invalidating the certificate in their browsers. [11]

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

<span class="mw-page-title-main">Web browser</span> Software used to navigate the internet

A web browser is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on a range of devices, including desktops, laptops, tablets, and smartphones. In 2020, an estimated 4.9 billion people have used a browser. The most used browser is Google Chrome, with a 65% global market share on all devices, followed by Safari with 18%.

<span class="mw-page-title-main">Firefox</span> Free and open-source web browser by Mozilla

Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and anticipated web standards. In November 2017, Firefox began incorporating new technology under the code name "Quantum" to promote parallelism and a more intuitive user interface. Firefox is available for Windows 10 or later versions, macOS, and Linux. Its unofficial ports are available for various Unix and Unix-like operating systems, including FreeBSD, OpenBSD, NetBSD, illumos, and Solaris Unix. It is also available for Android and iOS. However, as with all other iOS web browsers, the iOS version uses the WebKit layout engine instead of Gecko due to platform requirements. An optimized version is also available on the Amazon Fire TV as one of the two main browsers available with Amazon's Silk Browser.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

<span class="mw-page-title-main">Root certificate</span> Certificate identifying a root authority

In cryptography and computer security, a root certificate is a public key certificate that identifies a root certificate authority (CA). Root certificates are self-signed and form the basis of an X.509-based public key infrastructure (PKI). Either it has matched Authority Key Identifier with Subject Key Identifier, in some cases there is no Authority Key identifier, then Issuer string should match with Subject string. For instance, the PKIs supporting HTTPS for secure web browsing and electronic signature schemes depend on a set of root certificates.

In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.

Mozilla Firefox has features that allow it to be distinguished from other web browsers, such as Chrome and Internet Explorer.

<span class="mw-page-title-main">Adblock Plus</span> Content-filtering and ad blocking browser extension

Adblock Plus (ABP) is a free and open-source browser extension for content-filtering and ad blocking. It is developed by developer Wladimir Palant's Eyeo GmbH, a German software company. The extension has been released for Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Opera, Safari, Yandex Browser, and Android.

NoScript is a free and open-source extension for Firefox- and Chromium-based web browsers, written and maintained by Giorgio Maone, an Italian software developer and member of the Mozilla Security Group.

<span class="mw-page-title-main">Extended Validation Certificate</span> Certificate for HTTPS websites and software

An Extended Validation Certificate (EV) is a certificate conforming to X.509 that proves the legal entity of the owner and is signed by a certificate authority key that can issue EV certificates. EV certificates can be used in the same manner as any other X.509 certificates, including securing web communications with HTTPS and signing software and documents. Unlike domain-validated certificates and organization-validation certificates, EV certificates can be issued only by a subset of certificate authorities (CAs) and require verification of the requesting entity's legal identity before certificate issuance.

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.

StartCom was a certificate authority founded in Eilat, Israel, and later based in Beijing, China, that had three main activities: StartCom Enterprise Linux, StartSSL and MediaHost. StartCom set up branch offices in China, Hong Kong, the United Kingdom and Spain. Due to multiple faults on the company's end, all StartCom certificates were removed from Mozilla Firefox in October 2016 and Google Chrome in March 2017, including certificates previously issued, with similar removals from other browsers expected to follow.

DigiNotar was a Dutch certificate authority owned by VASCO Data Security International, Inc.

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

Firefox was created by Dave Hyatt and Blake Ross as an experimental branch of the Mozilla browser, first released as Firefox 1.0 on November 9, 2004. Starting with version 5.0, a rapid release cycle was put into effect, resulting in a new major version release every six weeks. This was gradually accelerated further in late 2019, so that new major releases occur on four-week cycles starting in 2020.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

HTTPS Everywhere is a discontinued free and open-source browser extension for Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, Brave, Vivaldi and Firefox for Android, which is developed collaboratively by The Tor Project and the Electronic Frontier Foundation (EFF). It automatically makes websites use a more secure HTTPS connection instead of HTTP, if they support it. The option "Encrypt All Sites Eligible" makes it possible to block and unblock all non-HTTPS browser connections with one click. Due to the widespread adoption of HTTPS on the World Wide Web, and the integration of HTTPS-only mode on major browsers, the extension was retired in January 2023.

HTTP Public Key Pinning (HPKP) is an obsolete Internet security mechanism delivered via an HTTP header which allows HTTPS websites to resist impersonation by attackers using misissued or otherwise fraudulent digital certificates. A server uses it to deliver to the client a set of hashes of public keys that must appear in the certificate chain of future connections to the same domain name.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States.

References

  1. Nurmakov, Adil (2015-12-05). "Experts Concerned Kazakhstan Plans to Monitor Users' Encrypted Traffic". Digital Report. Retrieved 2019-07-18.
  2. Nichols, Shaun (3 Dec 2015). "Is Kazakhstan about to man-in-the-middle diddle all of its internet traffic with dodgy root certs?". The Register . Retrieved 2019-07-18.
  3. "Kazakh government will intercept the nation's HTTPS traffic". IT PRO . Retrieved 2019-08-21.
  4. Afifi-Sabet, Keumars (19 July 2019). "Kazakh government will intercept the nation's HTTPS traffic". IT PRO . Retrieved 2019-07-19.
  5. Raman, Ram Sundara; Evdokimov, Leonid; Wustrow, Eric; Halderman, Alex; Ensafi, Roya (July 23, 2019). "Kazakhstan's HTTPS Interception". Censored Planet. University of Michigan. Retrieved 2019-08-21.
  6. 1 2 Paris, Martine (2019-08-21). "Google and Mozilla block Kazakhstan root CA certificate from Chrome and Firefox". VentureBeat . Retrieved 2019-08-21.
  7. Thayer, Wayne (2019-08-21). "Protecting our Users in Kazakhstan". Mozilla Security Blog. Retrieved 2019-08-21.
  8. Whalley, Andrew (2019-08-21). "Protecting Chrome users in Kazakhstan". Google Online Security Blog. Retrieved 2019-08-21.
  9. Brodkin, Jon (2019-08-21). "Google, Apple, and Mozilla block Kazakhstan government's browser spying". Ars Technica . Retrieved 2019-08-22.
  10. Cimpanu, Catalin. "Kazakhstan government is intercepting HTTPS traffic in its capital". ZDNET . Retrieved 2020-12-18.
  11. Moon, Mariella (2020-12-18). "Tech giants will block Kazakhstan's web surveillance efforts again". Engadget . Retrieved 2020-12-18.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.