Google and Mozilla stepped up their efforts to block Kazakhstan’s government from intercepting web traffic within the country.
In a joint announcement made today, the two companies said they are deploying a technical solution to prevent the use of ‘Qaznet Trust Network’ root CA certificate in Chrome and Firefox.
Apple is also said to be taking similar preventive measures to protect Safari users, per latest report from Reuters.
The move comes after reports from July suggested the government had instructed internet service providers to require people in the country to download and install a state-issued certificate on all devices (and in every browser) in order to access the web.
According to University of Michigan’s Censored Planet, the certificate intercepted traffic from 37 domains, including social media and communication sites like Facebook, Instagram, YouTube, Google Hangouts, and Russia’s VK.
But given that browsers implicitly trust certificates that have been locally installed on a user’s computer or smartphone, the behavior raised serious security concerns.
Once installed, the certificate — used to validate a website’s identity — makes it possible to stage Man in the Middle (MITM) attacks on HTTPS connections. It allows the government to decrypt internet traffic and read whatever a user types or posts, including their passwords.
While Kazakhstan initially said the plan was to monitor cyber threats, the government did an about-turn earlier this month, stating the initial rollout was simply a test.
However, it still remains an active threat on devices from which the certificate was not removed. Since the Qaznet certificate has a long lifespan (it expires in 2046), the revocation will thwart the government from surreptitiously snooping on its citizens.
On the other hand, the side-effect of revoking this certificate is that users — when attempting to visit one of the 37 sites — will now be presented with an error message stating that the certificate should not be trusted.
This means users won’t effectively be able to proceed to the desired web page. To do so, affected users will have to install a VPN or use Tor browser to access impacted sites.
“We also strongly encourage anyone who followed the steps to install the Kazakhstan government root certificate to remove it from your devices and to immediately change your passwords, using a strong, unique password for each of your online accounts,” Mozilla cautioned.
Test or no test, the move was rightly criticized for mass surveillance concerns. But it’s fair to wonder if Kazakhstan will retaliate by forcing its people to download its own custom browser with the certificate already installed.