Google, Mozzila, and Apple decided to ban the Kazakhstan root CA certificate to protect the millions of users privacy, it means Chrome, Firefox, and Safari will no longer trust the government-issued root certificate.
The security and privacy of HTTPS encrypted communications in browsers such as Mozilla, Chrome, Safari relies on trusted Certificate Authorities (CAs) to issue website certificates only to someone that controls the domain name or website by verifying their site owners identity.
A shocking report published last July states that, Kazakhstan forced their users to install the Government-issued digital certificate on their devices through Internet Service Providers (ISPs).
The Kazakhstan government goal was to intentionally intercept the user’s web traffic and their activities without letting them know that the citizen’s activities are secretly monitoring by a man-in-the-middle (MitM) attack against HTTPS connections.
On July 18, citizens in Kazakhstan receiving the notification from the ISP’s that they were required to install the security certification in their respective devices, otherwise they will face the interruption to their web traffic, and they will block from accessing the most popular such as Google and Facebook and more.
It is extremely difficult to perform mass surveillance by government or cybercriminals to intercept any users without having any direct control over end-user devices.
But it’s possible if the users install a trusted digital certificate on to the device and it will open the door to intercept the encrypted traffic.
According to censored planet Report, “Interception was first detected on July 17, and we have been tracking it continuously since July 20. It has stopped and started again several times. Only certain sites are intercepted, and interception is triggered based on the SNI hostname. At least 37 domains are affected, including social media and communication websites”
allo.google.com, android.com, cdninstagram.com, dns.google.com, docs.google.com, encrypted.google.com, facebook.com, goo.gl, google.com, groups.google.com, hangouts.google.com, instagram.com, mail.google.com, mail.ru, messages.android.com, messenger.com, news.google.com, ok.ru, picasa.google.com, plus.google.com, rukoeb.com, sites.google.com, sosalkino.tv, tamtam.chat, translate.google.com, twitter.com, video.google.com, vk.com, vk.me, vkuseraudio.net, vkuservideo.net, www.facebook.com, www.google.com, www.instagram.com, www.messenger.com, www.youtube.com, youtube.com
Mozilla Ban Kazakhstan root CA Certificate for FireFox
Mozilla releases a public statement that they block the Kazakhstan root CA certificate and it will no longer be trusted by Firefox.
Firefox will not trust Kazakhstan root CA certificate even if there are already installed such as a way to protect firefox users from intercepting the Kazakhstan citizens privacy.
According to Firefox “We encourage users in Kazakhstan affected by this change to research the use of virtual private network (VPN) software, or the Tor Browser, to access the Web. We also strongly encourage anyone who followed the steps to install the Kazakhstan government root certificate to remove it from your devices and to immediately change your passwords, using a strong, unique password for each of your online accounts. “
Firefox users who have already installed the certificate will attempt to access any site, they will receive an error stats that the certificate should not be trusted.
In years back, the Kazakhstan government requested Mozzila to add the root certificate to the list of other root certificates, but the fear of misuse possibility, Mozilla denied to add their root certificate.
Google Banned for Chrome
Google also has taken the appropriate steps, and it will be blocking the certificate the Kazakhstan government forced its citizen’s to install on their devices.
Google trusts the locally installed TLS/SSL certificate on a user’s computer or mobile device for an internal purpose such as a corporate environment to intercept and monitor internal traffic.
But, intercepting public traffic is totally against the user’s privacy when they are accessing the public internet, Google said.
According to a Google report, “The certificate has been blocked and added to CRLSet. No action is needed by users to be protected. In addition, the certificate has been added to a blocklist in the Chromium source code and thus should be included in other Chromium-based browsers in due course.”
Apart from Google and Mozilla, Apple also decided to block the root certificate issued by Kazakhstan CA.
Apple told Ars Technica “We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue. This covers Safari for both iOS and macOS”.
Sponsored: Best Practices to Strengthen Cyber Security – Manage all the Endpoint networks from a single Console.