Kazakhstan Government is Now Intercepting All HTTPS Traffic

Artem S. Tashkinov writes: Starting Wednesday, July 17, 2019, the Kazakhstan government has started intercepting all HTTPS internet traffic inside its borders. Local internet service providers (ISPs) have been instructed by the local government to force their respective users into installing a government-issued certificate on all devices, and in every browser. The certificate, once installed, will allow local government agencies to decrypt users' HTTPS traffic, look at its content, encrypt it again with their certificate, and send it to its destination. Kazakh users trying to access the internet since yesterday have been redirected to web pages that contained instructions on how to install the government's root certificate in their respective browsers, may it be a desktop or mobile device.

Wow

[SuperKendall]

For a moment I misread that headline as "The Kardashian Government" and thought I had missed something really big overnight.

Re:

[Impy the Impiuos Imp]

For a moment I misread that headline as "The Kardashian Government" and thought I had missed something really big and overweight.

Re:

[K. S. Kyosuke]

They always fuck with Bajorans, don't they?

Re:Wow

[sconeu]

They always fuck with Bajorans, don't they?

You are making the common confusion of Cardassians and Kardashians. It's a simple distinction...

One group is a bunch vaguely reptilian, amoral types who will stop at nothing to achieve their goals. The other group, of course, invaded Bajor.

Re:

[Kyr Arvin]

Personally, I've never found any of the Kardashian women attractive.

I lean more towards the Shailene Woodley or Daisy Ridley beauty type as being attractive. The Kardashians and their ilk are just too "in your face" and flaunting it for my tastes.

Their beauty is extremely artificial and contrived. Plastic surgery and makeup.
It's like drinking peach-flavored Boba tea and feeling disgusted by the chemical taste of the "artificial peach flavor."

Uncanny valley

[FeriteCore]

It just this moment hit me that they actually LIVE IN the uncanny valley

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Sayonara

[The Snazster]

I sure hope it proves catastrophic to any country attempting this.

Re:Sayonara

[ShanghaiBill]

I sure hope it proves catastrophic to any country attempting this.

Unlikely. Kazakhstan's economy is based on extraction of oil, gas, and minerals. None of those will be adversely affected by Internet censorship.

The government is not concerned about the welfare and creativity of the Kazakh people. They just want to keep them away from the pipelines.

Re:

[K. S. Kyosuke]

None of those will be adversely affected by Internet censorship.

This will also ensure that they'll *never* have anything that would be adversely affected by Internet censorship...like any kind of modern economy, for example.

Re:

[ShanghaiBill]

...like any kind of modern economy, for example.

That's the point. A modernized and prosperous Kazakhstan would not accept rule by the Nazarbayev family dynasty. Impoverished and ignorant people are easier to control.

Re:

[misnohmer]

Yea, until their pipeline infrastructure gets sabotaged, and/or communications get leaked because because someone compromised the MITM server or it's keys (such universally trusted to impersonate anyone server is the single point of failure/attack). They might as well have just banned encryption - it would have at least not affected performance and added a single point of failure/attack by funneling all traffic through government MITM servers.

Re:Sayonara

[JabrTheHut]

Banning encryption would be absurd. They may be a backwards, regressive government clinging to wealth, protecting an economy destined to eventually collapse once all precious minerals and oil are extracted, but they’re not as bad as Australia.

Re:

[misnohmer]

Banning https outright is not much more absurd that requiring everyone to install a root certificate which allows MITM attack server which will on-the-fly generate signed certificates for any site they want or have one wildcard certificate for all of internet - either way, compromising even one of the MITM nodes compromises all connections going forward.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Sayonara

[john83]

I expect they're more interested in staying in power than in improving their country's lot. That's the great predictor for poverty according to Daron Acemoglu. It's sad to see the internet become increasingly walled off and undermined. The great promise of the early days seems to have disintegrated into an orgy of capitalist spying to sell more shit, government propaganda, and government monitoring/control.

Re:Sayonara

[Anonymous Coward]

This is not a result of capitalism, regardless of what you were indoctrinated by your Marxist college professors, skippy.
What's happening in Kazakhstan is TOTALITARIANISM.

Re:

[sjames]

This particular atrocity is spearheaded by totalitarianism, but it's enabled by amoral free-market-uber-alles capitalists.

If this was spearheaded by capitalists, they'd be selling complete access logs to marketers, bounty hunters, contract killers, whoever.

Re:

[CaptainDork]

I agree.

In addition, sovereign Internets work to inhibit intrusion by outsiders.

Maybe we'll have a modern day Internet "icebreaker," like that shithead Nixon.

Re:Sayonara

[93 Escort Wagon]

Even internal traffic... if I were Khazakh, this would pretty much end any of my online shopping, banking, and what-not. You gotta figure, within a short while, organized crime is gonna have that private key.

Re:

[Sir Holo]

Forget organized crime having access to bank and other info.

PEOPLE would be involved in operating the system. People are known to abuse database privileges. It's a huge problem, so this Kazhakh proposal would open up things to anyone with criminal intent and an ability to get a job 'maintaining' this system.

Trial balloon

[ctilsie242]

This is a trial balloon. If they are successful, or not fail, I can see pretty much the world following suit in forcing MITM certs, with stateful firewalls on the ISP's end dropping all traffic that can't be MITM-ed.

I wonder how long it will be until the MITM cert is compromised, and blackhats can slurp all that encrypted SSL traffic to banks and financial institutions as they please, which was one of the predicted horror stories of key escrow, even back in the early 1990s when Clipper/Skipjack loomed over the computing landscape with mandatory key escrow.

Re:Trial balloon

[eth1]

This is a trial balloon. If they are successful, or not fail, I can see pretty much the world following suit in forcing MITM certs, with stateful firewalls on the ISP's end dropping all traffic that can't be MITM-ed.

That sounds like it would be monumentally expensive. Maybe if some hardware were used that was specifically designed to do this kind of SSL forward proxy efficiently, it might be doable.

I run some pretty massive stateful firewalls at work, and while accurate throughput numbers are difficult to get out of the vendors, you'd probably be looking at ~$1 mil per 10-20Gbit of forward proxy traffic (accounting for redundant/HA hardware). An ISP would be spending $5-10k per customer to support them on 100Mbit connections. Even if I'm off by an order of magnitude, that's still a year of $50/mo subscriptions - and that's not accounting for support costs.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[eth1]

Modern stateful firewalls DO have ASICs for this kind of thing. Obviously you'd get cheaper/faster by removing all the threat inspection and firewall rule processing, and only loading them up with decrypt/re-encrypt hardware, but re-encryption is the single most computationally intensive capability that firewalls have.

Re:

[sjames]

OTOH, a number of US ISPs have been caught using Sandvine to shoot down what they consider bandwidth 'hogging' connections.

Re:

[BarbaraHudson]

In khazakstan? Most transactions are cash or barter. No need to encrypt 2 chickens and a goat.

Re: Trial balloon

[Anonymous Coward]

You actually do want to encrypt the goat, but just DES is fine. Goat adversaries aren't that sophisticated.

Re:

[swillden]

This is a trial balloon. If they are successful, or not fail, I can see pretty much the world following suit in forcing MITM certs, with stateful firewalls on the ISP's end dropping all traffic that can't be MITM-ed.

If that happens, I can see lots of major web sites (e.g. Google) enabling cert pinning. If those firewalls start dropping all the major search engines, webmail providers, etc., user complaints except in the most totalitarian of regimes will force them to stop. China is an exception because it's big enough to create its own Internet ecosystem, but smaller countries can't.

Re:

[Type44Q]

A Beowulf Cluster of hams to up your bandwidth? You'll reach Critical Mass and risk making nerds uncool again.*

My pops is a "ham extraordinaire; got his Novice as a young kid in the 50's... and a more awkward dork never walked the Earth (Sorry, Pops; gotta call 'em as I see 'em).

Re:

[tinkerton]

A Beowulf Cluster...

that made me check your /. id. Larger than i expected

Re:

[Type44Q]

I discovered /. in '98; this isn't my first user account but I lost access to my old one when the hotmail account I had it associated with was stolen (likely an inside job as I had an *extremely desirable* email address).

Re:

[guacamole]

Kazakhstan's biggest export is oil and natural gas.

Re:

[dargaud]

Is it possible for an https website outside of Kazakhstan to check if it's being processed through this gov certificate ? If so it should simply display a page: "you are being hijacked" and refuse to do anything else. See how fast the country grinds to a halt without internet. If not, well, I don't know...

Re:

[Carewolf]

Yes, they can force Certificate Transparency.

If they have used certificate pinning, their users would also be told of the MITM attack.

Sure, that's safe

[yorgasor]

And I'm sure they have perfect security, so no one will possibly gain access to all the bank credentials they decrypt. Looks like a perfect place to stop doing online banking.

Re:Sure, that's safe

[DigitAl56K]

Kazakhstan HTTPS cleanest in region

Re:

[Type44Q]

Looks like a perfect place to stop doing online banking.

Or the perfect place never to start, if Borat's documentary was any indication...

Wait, Kazhakstan is a real country?

[mamba-mamba]

I thought Kazakhstan was a fictional country made up for the movie Borat? Are you telling me it is a real country? Wow. Sasha Cohen is cold-harted. Cold.

Re:

[Chris Mattern]

100% real. And, yes, Sasha Cohen was pretty mean to them. He basically just made up everything in the movie. Kazakhs weren't overly pleased with Borat.

Re:

[religionofpeas]

It's the biggest landlocked country in the world.

Re:Wait, Kazhakstan is a real country?

[thegarbz]

Not as cold hearted as the Kuwaitis who played Sasha Baron Cohen's version of the Kazakhstan anthem during a medal ceremony for an international event https://www.bbc.com/news/world... [bbc.com]

Re:Wait, Kazhakstan is a real country?

[K. S. Kyosuke]

I thought Kazakhstan was a fictional country

Are you a product of the US school system?

Re:Wait, Kazhakstan is a real country?

[omnichad]

Or just old enough to be educated before they were a country? I mean - in 1991 I was still in elementary school, but my high school textbooks would not have been new enough to cover it either.

The school system I was in barely taught anything past WWII, though. They weren't great. This was because of teaching in chronological order and never getting to the end of the book by the end of the year.

Re:

[K. S. Kyosuke]

We for example didn't cover history past WW II, since the opinion was that the more recent era can't be viewed quite as objectively, but our geography curriculum was very, *very* quick to adapt to the ~1989-1992 changes. Not to mention that Kazakhstan was still a constituent state of the Soviet Union. Don't foreigners (to the US) know about Texas or Florida?

Re:

[K. S. Kyosuke]

My country never suffered from jingoism, so I have no idea how that would be even possible for me.

Re:

[sjbe]

I thought Kazakhstan was a fictional country made up for the movie Borat? Are you telling me it is a real country?

Seriously? You are joking, right? Have you bothered to look at a map [wikipedia.org] in the last 30 years? By area it's the 9th largest country in the world.

Re:

[Solandri]

All the "Russian" manned space missions (which currently includes all American astronauts since we don't have a manned launch vehicle of our own) are launched in Kazakhstan [wikipedia.org]. Russia sits fairly north in latitude. The closer you are to the equator the more the Earth's rotational velocity (about 1670 kph at the equator) contributes to the vehicle's velocity, reducing the fuel needed to achieve escape velocity. So it's advantageous to launch as close as you can to the equator. It's why U.S. launches are don

Re:

[NormalVisual]

I thought Kazakhstan was a fictional country made up for the movie Borat? Are you telling me it is a real country?

The first artificial satellite and the first man in space both flew from Kazakhstan, as have the vast majority of subsequent Russian space launches.

Re:

[K. S. Kyosuke]

Kamchatka is not fictional either.

In Kazakhstan,

[Grand Facade]

All your data are mine.

I predict a colossal data breach besides just the microscope they just inserted rectally.

VPN?

[mspohr]

Could you use a VPN to get around this (or rather through it) ?

Re:

[110010001000]

Yes. But most commercial VPNs are owned by the Chinese. Welcome to the middle of the end of the Internet.

Re:

[Anonymous Coward]

So? The Kazakhs can't decrypt the VPN and the Chinese can't decrypt the TLS. Welcome to Onion routing.

Re:

[110010001000]

Good point. I'm signing up now.

Re:

[CaptainDork]

It's a torrible idea.

Re:

[93 Escort Wagon]

You could probably still rely on communication tools where the encryption doesn’t depend on a central authority (e.g. iMessage, Signal). However it’s possible for the government to simply block what they can’t intercept. People will find work-arounds... but, as the Chinese have shown, if the government is willing to throw enough time and money at the problem they can eventually clamp down on the work-a-rounds as well.

This doesn’t solve the online banking and commerce issues, though.

Re:

[anegg]

Ultimately a government that controls the communication lines in/out of a county can ultimately choose to whitelist communications, eliminating all work-arounds such as using unexpected TCP/UDP ports. If attempts to monitor traffic like this expand, then not just encryption but steganography on a broad scale will be required to communicate privately. Legitimate-looking (but inconsequential) communications will have to carry the actual communications. Not very efficient; lots of overhead.

Re:

[Gilgaron]

Time to design a MMO game that is broadly popular and has oddly large data transfer requirements between peers...

Castle Covert Channel

[eaglesrule]

Time to design a MMO game that is broadly popular and has oddly large data transfer requirements between peers...

Or you can strap a back channel [archive.org] to existing popular RTS games.

Re:

[Areyoukiddingme]

Could you use a VPN to get around this (or rather through it) ?

Odds are if they're going this far, they've long since blocked all outgoing traffic that isn't on a handful of prescribed ports and isn't a protocol they can read. If VPNs work in Kazakhstan I'd be surprised, and I'd expect them to stop working very shortly. Any encrypted stream that doesn't decrypt with their MITM certificate will get blocked.

Re:

[Big Boss]

Can we get their cert? Might be fun to start sending a LOT of goatse signed with it.... :)

Re:

[JesseMcDonald]

Any encrypted stream that doesn't decrypt with their MITM certificate will get blocked.

So double-encrypt with a TLS-based VPN? Not the most efficient protocol, to be sure, but it would probably evade any blocking based on checking for the MITM certificate and encrypted traffic within the VPN will remain secure even if the outer layer is compromised.

Of course, what they'll do if they catch you at it is an entirely separate problem.

Kazakhstan be fucked now

[AndyKron]

Fuck Kazakhstan.

Relevant links removed from the submission

[Artem S. Tashkinov]

Mozilla bug report: https://bugzilla.mozilla.org/s... [mozilla.org]

Hacker News: https://news.ycombinator.com/i... [ycombinator.com]

Reddit: https://www.reddit.com/r/progr... [reddit.com]

detectable on the server?

[Anonymous Coward]

any discussion on how we can detect this on the server and block?

For a brief moment

[Only Time Will Tell]

I started reading the TFS and thought, "Oh, they've finally started being a decent country to its people" until I got to the part they're just making citizens install certificates so they can snoop on all traffic. Shitty autocracies continue to be shitty. News at 11.

The internet is being usurped

[mysidia]

Perhaps the browsers could push an "update" that provides a work around... As in a "Root Certificate Blacklisting" feature ?
Upon finding out what this certificate is -- push a software update so that this cert can no longer be trusted, even if manually installed.

The problem is likely a decrease in the cost of centralizing computational power in the hands of government resulting in
a REVERSAL of the decentralization of compute that the internet and the free spread of information as we knew it before relied

Re:The internet is being usurped

[anegg]

Many/most people don't realize that their browser vendor controls the trustworthiness of their encrypted communications (through control of the root certificates that govern which certificates are accepted for identification of SLL endpoints). The so-called Public Key Infrastructure (PKI) that underlies our current privacy controls for communications is complex and prone to failure (accidental and deliberate). The vast number of root certificates packaged with browsers precludes practical management by individuals unless vendors provide much better tools to manage them.

Re:

[omnichad]

Upon finding out what this certificate is -- push a software update so that this cert can no longer be trusted, even if manually installed.

And Chromium is open-source. Now, secured web sites can only be used through the government's official browser.

Re:

[mysidia]

And Chromium is open-source. Now, secured web sites can only be used through the government's official browser.

Only the Chromium core is open source; not the exact browser apps.

First of all... its doubtful Khaza-whatever is up to maintaining an "only browser" themself.

Second... If Google and Apple update their browsers to blacklist the cert; there's no reason for them to allow an insecure-by-design browser on their App stores for iOS and Android.

Next... there are platforms on which a Chromium browser c

Re:

[omnichad]

First of all... its doubtful Khaza-whatever is up to maintaining an "only browser" themself.

If random scammers in Russia can put together a Chromium build for their malware (it's everywhere), then any old government can do it and it's easier than maintaining a national MITM attack.

Think devices such as the Nintendo Switch and PS4; they utilize TLS connections to talk with the console maker's servers,

And those will either be broken or you will get certificate errors. Do you think Kazakhstan is going to roll this back just because it might hurt Nintendo's console sales in a very small market?

Re:

[omnichad]

Place them on an in-country server with self-signed cert that everyone is aware of. Surf content without interference

From inside the same building? They are doing MITM on in-country traffic too.

Soping pedophiles

[sinij]

I for one applaud my democratically-elected Kazakh government for taking the necessary steps to intercept and unmask pedophiles, of which I may be found guilty of if I don't stop posting critical messages of this wise and prudent policy.

This post was signed with Kazakhstan Gov't CA certificate.

Re:

[CaptainDork]

"Pedophiles" comes to us from the two Greek (ca. Dr. Scholl) words, pedo, meaning "feet" and philia, meaning "love of" and is a concatenated corruption of the phrase, "kiss my foot."

Article title text input must have been too long..

[Java Pimp]

to include "inside its borders". I mean noone, not even ZDNet, would deliberately leave sensationalist headlines for clickbait...

Just spoof Android httpclient

[Miamicanes]

How, exactly, does Kazakhstan propose to force anyone with an Android phone that uses apps that use Apache HttpClient to do this? The last time I checked (admittedly, ~5 years ago... circa Jellybean), there was NO WAY to import a globally-trusted alternate root certificate that would be used by anything besides the browser. You could easily trust an alternate root cert for the BROWSER, but the certs trusted by Android's implementation of HttpClient were loaded by the bootloader.

In any case, any Android app

Re:

[Lennie]

For a lot of people this will mean your app is now broken and people will now use a different app. Because most have no idea why things don't work

Perfect

[JustAnotherOldGuy]

"The certificate, once installed, will allow local government agencies to decrypt users' HTTPS traffic, look at its content, encrypt it again with their certificate, and send it to its destination." ...which completely negates using HTTPS in the first place.

It's perfect- they can grab traffic, decrypt it, ALTER IT, and then send it on its way encrypted again. You could never trust another web page or email again since it would be trivial for them to alter the content.

I'm sure the NSA/CIA/FBI/etc is salivating at the prospect of doing this.

Lol, I set up the burst media with SFTP

[WillAffleckUW]

different port.

Have fun!

Don't let the terrorists win.

[AnotherBlackHat]

Sure, there are a lot of people who don't like the idea of the government snooping on their data, but if the government didn't do this, then anybody could send any sort of message to anybody else.
It isn't just people protecting their bank accounts, it's also people creating hate speech sites, prostitutes advertising their services, criminals ordering drugs, and crime lords placing hits.
How high a price are you willing to pay for freedom?

Re:

[loonycyborg]

tor can now be tunnelled via a steganographic stream. It's near impossible to automatically block it.

Re:

[CaptainDork]

Stegosaurusographic CRISPR trials have not been completed yet.

Re:

[mamba-mamba]

Configure a machine in another country as a web proxy.

Unless they also block SSH. Then that won't work either.

Re:

[omnichad]

You would have to disable HSTS at the browser level. Technically, HSTS will work as expected with the MITM certificate. It's key pinning that will break things.

Re:

[93 Escort Wagon]

Or perhaps KITM (Khazakh In The Middle).

Re:

[Kyr Arvin]

Or perhaps KITM (Khazakh In The Middle).

The sequel series to Malcolm in the Middle?

Re:MITM attack!

[Z00L00K]

It just shows that the security model is broken.

Re:

[ctilsie242]

I know in Sweden, due to IPRED, VPNs have become the norm and commonplace. Here in the US, they are not uncommon as well, just because of the shenanigans ISPs have done (like adding identifying tags to browser headers).

The problem with countries wanting to eavesdrop on traffic and forcing it, is that it causes people to fire up VPNs, and make it harder for law enforcement in general. Of course, they can ban VPNs, but that then causes a costly arms race, and can destroy a country's way of life.

Eventually,

Re:So basically the sane as everyone else?

[religionofpeas]

How do you know you can trust your VPN ?

Re:

[h33t l4x0r]

If your VPN asks you to install root CAs you know you can't.

Re:

[AHuxley]

PRISM and the NSA had Project Bullrun.

Re:ALL GOVERNMENTS NEED FULL ACCESS!!!

[JcMorin]

You are free to have your own opinion, so I am. IMO Gov is the worst place to put information as it's been shown time and time again that gov will use that information just to get re-elected.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[BarbaraHudson]

Quit confusing the Internet and the web. The Internet == DARPA. The web == CERN.

I might trust the police, but I won't give them my passwords. Has nothing to do with trust, it's just not their business. .

Re:

[anegg]

The lack of use of definite articles points to someone who is a native speaker of a language that lacks this part of grammar, OR someone (for some reason) attempting to sound like such a person. It is unlikely that they are a serious participant in the actual conversation.

Re:

[CaptainDork]

You insensitive clod. The goddam subject line is in ALL FUCKING GODDAM CAPS!!!!

Re:

[anegg]

You spelled "goddamn" wrong.

Re:

[AHuxley]

Since the 2019 reforms, Kazakhstan is as safe as any other 5 eye nation in the world.

Re:

[amorsen]

For browser traffic, users can just install a plugin that alerts them when the government certificate is used.

That plugin would alert for all traffic. They might as well put a post-it note on top of their phone reminding them that their traffic is being intercepted.