Over the last few years, there has been a concerted effort to improve the security and privacy of internet users by encouraging websites to move to HTTPS; meaning all internet traffic between the website and the user are encrypted. This has meant that while internet service providers can know which websites you visit, they have no access to the information being exchanged between the website and end-users.
Google has been one of the major forces behind the move, by downranking websites in their very important search results who do not use HTTPS encryption. Both Firefox and Google, at present, mark websites who are not using HTTPS as “not secure”. This has frustrated government and security agencies all around the world; but ex-Russian republic, Kazakhstan, has found a way to achieve an end-run around the security by forcing internet users to install their root certificate.
As reported in Bugzilla on the 18th July, Kazakhstan ISP MITM is sending SMS messages to mobile users, directing them to a website where they are requested to install the nefarious certificate. After this is done, all encrypted traffic going to Twitter, YouTube, Facebook, Gmail, Mail.ru, VK.com and Tamtam.chat, are directed to government servers, before being passed onto the hosts. End users are reporting that this has also resulted in some websites and pages on Facebook being blocked, and offering 403 errors.
Kazakhstani residents commenting on the Bugzilla thread have described the Kazakhstani government as authoritarian and dictatorial, and are encouraging Mozilla- the creators of Firefox, to take strong action against this security attack. Some suggestions being offered include: not allowing end users to install certificates, and warning end-users that installing a certificate would compromise their privacy and security explicitly- something that the browser doesn’t do at present. Alternatively, more targeted action can be taken, such as revoking the certificate. At present, there does not appear to be any specific agreement on which course of action to follow.
While issues affecting the 18.6 million people in Kazakhstan may not appear very significant to the rest of us; such an attack would be easy to replicate by Western governments, such as USA, Australia and the UK, who all have their own motives to keep a closer eye on their citizens, ranging from terrorism to pornography to copyright infringement.
Follow the debate on this very important issue at Bugzilla here.