Kazakhstan is spying on residents' HTTPS visitors; Browser producers are preventing again
Google, Mozilla, Apple and Microsoft have teamed up to prevent the Kazakh government from decrypting and reading HTTPS encrypted traffic between its citizens and overseas social media websites.
All four of the company's browsers recently received updates blocking a root certificate that the government has asked some citizens to install. The self-signed certificate resulted in traffic sent to and from selected websites being encrypted with a government controlled key. According to industry standards, HTTPS keys should be private and only controlled by the site operator.
The certificate used on December 6th was first reported in a thread on Mozilla's bug reporting website. It was later reported on the Censored Planet website that the certificate worked against dozen of web services, mostly owned by Google, Facebook, and Twitter. Censored Planet identified the affected locations as:
Instead of sending traffic that could only be decrypted by the website and the individual end user, computers on which the certificate was installed used a key that the Kazakh government could also use to decrypt the data in transit.
This is at least the second time that the Kazakh government has asked some citizens to install the certificate, most recently in August 2019. The major browser manufacturers have also blocked this overture.
According to Censored Planet, the percentage of hosts in Kazakhstan who experienced the interception was 11.5 percent, compared with 7 percent the previous year.