Wed. Feb 26th, 2020

Google and Mozilla are trying to prevent Kazakhstan ISPs from installing a government-issued certificate

2 min read

Google and Mozilla are taking action against the Kazakhstan government’s certificate-based surveillance campaign for its citizens. The two companies announced today that they are teaming up to block the root certificate issued by the Kazakh government last month, which allows it to monitor the encrypted Internet activity of any user who installed it. The government asked the country’s ISP to cooperate and force all customers to install certificates to gain Internet access.

Kazakhstan government-issued certificate
Image: Eugene / via Bugzilla

According to a study published by the University of Michigan, it allows the Kazakh government to conduct man-in-the-middle attacks on HTTPS connections including domain names like Facebook, Twitter, and Google. In general, the encryption method of the HTTPS website will make it inaccessible to third parties including ISPs. In the case of Kazakhstan, the MitM attack broke the encryption mechanism of these websites, allowing free monitoring of private Internet activities.

Now, when Firefox detects a certificate in Kazakhstan, it will block the connection and display an error message. Chrome will also block the certificate, and it will also add this rule to the block list in Chromium source code and will be included in other Chromium-based browsers in the future.

“To protect our users, Firefox, together with Chrome, will block the use of the Kazakhstan root CA certificate. This means that it will not be trusted by Firefox even if the user has installed it,” Mozilla wrote on its corporate blog. “We believe this is the appropriate response because users in Kazakhstan are not being given a meaningful choice over whether to install the certificate and because this attack undermines the integrity of a critical network security mechanism. When attempting to access a website that responds with this certificate, Firefox users will see an error message stating that the certificate should not be trusted.”

Via: VentureBeat