Firefox and Chrome Fight Back Against Kazakhstan’s Spying
Credit to Author: Lily Hay Newman| Date: Wed, 21 Aug 2019 10:00:00 +0000
The Central Asian country’s government has repeatedly threatened to monitor its citizens’ internet activities. Google and Mozilla aren’t having it.
Against the backdrop of China, Russia, and Iran working to sequester their own private, national internets, other countries like Kazakhstan have experimented with similar balkanization and internet-control initiatives. Kazakhstan first piloted a monitoring system in 2015 that would offer access to all web traffic within the country, even encrypted data. After fierce debate and some legal hurdles over the years, the government implemented a test of this draconian screening system in July. Now, Google, Mozilla, and Apple are incorporating technical protections into their Chrome, Firefox, and Safari browsers to fight back.
Today the three companies are announcing new defenses that block the Kazakhstan government's traffic-interception mechanism. When the browsers detect that this surveillance has been enabled, they will block the connection and display a warning. Users won't be able to bypass this warning even if they want to.
The Kazakh dragnet has faced intense criticism, and the situation continues to evolve. On August 6, about three weeks after the government began its mass-monitoring initiative, officials said that the program had only been a test of the potential impact on users and was being suspended. Researchers say that in practice the surveillance was only targeting certain popular sites for a relatively small group of internet users. But the capability exists for the government to launch a far more sweeping campaign if it chooses to in the future.
"The security test of the cybercrime program has demonstrated a high level of technical capability," Kazakh president Kassym-Jomart Tokayev tweeted (as translated by Google Translate and Reuters). "The most important thing is that there is no inconvenience for internet users in Kazakhstan. There are no grounds for concerns."
For Google, Mozilla, and Apple, along with data privacy and internet freedom organizations, the concerns are both major and ongoing. Encrypted web traffic—those HTTPS connections indicated by a green padlock—use special "certificates" to determine that web servers aren't misrepresenting themselves. But Kazakhstan's government required internet service providers to distribute full-access root certificates to all of their users and instruct the users to install the digital certificates on their devices and browsers if they wanted to access the internet. From there, researchers observed the government using this master key to surveil encrypted data being sent to and from dozens of well-known communication services and social media platforms like Facebook, Google, and Twitter.
"We believe that individual security and privacy is fundamental and cannot be treated as optional online," Marshall Erwin, Mozilla's senior director of trust and safety, said in a statement. "This certificate poses a significant threat to our users, which is why we are taking action to protect them."
An Apple spokesperson echoed on Wednesday that, “We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue.”
Similarly, Google says it has fully blocked the invasive Kazakh certificates, issued by a so-called certificate authority known as the Qaznet Trust Network. "Chrome will be blocking the certificate the Kazakhstan government required users to install," Andrew Whalley, a member of the Chrome security team, wrote in a blog post shared with WIRED. "In addition, the certificate will be added to a blocklist in the Chromium source code and thus should be included in other Chromium based browsers in due course."
This trickle-down to other browsers based on Chromium is important, Google and Mozilla say, even though Kazakhstan's government claims to have suspended its mass surveillance for now. Given the government's longstanding dedication to rolling out some type of root-certificate-based traffic monitoring, it's entirely possible that the government will ultimately resume the activity. If so, Google, Mozilla, and Apple will have infrastructure in place to respond, and to add other certificates to their block lists if needed.
"While the government’s test has apparently ended, the mechanism it can use to spy on web traffic is still in place," says Mozilla's Erwin. "And some users may still have this malicious certificate installed. Essentially, these users are still vulnerable, even if the attack is not ongoing. We aren’t waiting for the vulnerability to be exploited again in order to fix it."
The pro-democracy group Freedom House described Kazakhstan's internet as "not free" in a 2018 "Freedom on the Net" report. In addition to concerns about mass surveillance, the group also cited repeated incidents of internet censorship in which the Kazakh government has blocked access to communication, social media, and news services for hours at a time during political speeches, protests, and other controversial national events.
Adrian Shahbaz, research director for Freedom House's technology and democracy program, points out that Kazakhstan may have backed off for now on its plans to implement certificate-based surveillance because the country is in a politically fraught moment. Kazakhstan's longtime authoritarian leader, Nursultan Nazarbayev, transferred power in June to the current president, Kassym-Jomart Tokayev, in an election where Tokayev garnered 70.7 percent of the vote. But Shahbaz also notes that the Kazakh government has already established an extensive apparatus for digital control and surveillance—including Russian espionage tools and invasive relationships with internet service providers—and is likely in little rush to cement an additional mechanism.
"They have all sorts of information controls that were already implemented, especially before the election to make sure it went off without a hitch," Shahbaz says. "So I think authorities in Kazakhstan saw the pushback that this initiative was getting, and they might have thought, 'Better that we let off this issue before things get too heated.' Because it’s a particularly sensitive time politically for the new government."
Google and Mozilla say that internet users within Kazakhstan should familiarize themselves with tools that mask or anonymize their internet connections, like VPNs and Tor. And they encourage anyone who installed the Kazakh government's root certificate to remove it so they aren't leaving a backdoor to their internet traffic lurking on their devices. But if users do encounter compromised connections, at least Firefox, Chrome, and Safari will now throw up a warning and stop the surveillance in its tracks.
August 21, 2019 7:50am ET: This post has been updated to reflect that Apple has also added protections in Safari.