Google and Mozilla have removed trust for a root certificate that the Kazakh government was forcing some citizens to install on their device as a way to intercept and inspect HTTPS traffic to some sites.
The move essentially invalidates the certificate in Chrome and Firefox and means that anyone with the root CA installed in one of those browsers will see a warning message that says the certificate is not trusted.
“We believe this act undermines the security of our users and the web, and it directly contradicts Principle 4 of the Mozilla Manifesto that states, ‘Individuals’ security and privacy on the internet are fundamental and must not be treated as optional’,” Wayne Thayer of Mozilla said.
“To protect our users, Firefox, together with Chrome, will block the use of the Kazakhstan root CA certificate. This means that it will not be trusted by Firefox even if the user has installed it. We believe this is the appropriate response because users in Kazakhstan are not being given a meaningful choice over whether to install the certificate and because this attack undermines the integrity of a critical network security mechanism.”
Google and Mozilla made the decision about a month after the HTTPS interception effort began in Kazakhstan. The interception effort targeted a subset of Internet users in Kazakhstan and it focused on a small number of sites, including Twitter, Facebook, and Google. By forcing people to install the root certificate, the Kazakh government was able to impersonate those sites and decrypt and inspect any traffic going to them from devices with the certificate installed. The technique is commonly used by repressive regimes as a way to keep tabs on citizens’ Internet usage and interests. But HTTPS interception is not just an invasion of privacy for users, it’s also dangerous.
“We will never tolerate any attempt, by any organization—government or otherwise—to compromise Chrome users’ data."
“In my view, and the overwhelming view of my colleagues in the security engineering community, this is a dangerously misguided policy, and will have the effect of making every citizen impacted by this policy less safe. It is difficult enough for the largest technology companies in the world to secure their own central network and certificate infrastructure; the notion that a modestly funded small government with limited technical resources can pull it off is naive, to say the least,” Kenn White, a senior security engineer and director of the Open Crypto Audit Project, said at the time the interception effort began in July.
Google’s Chrome engineering team took the same action Mozilla did, removing trust for the Kazakhstan root CA.
“We will never tolerate any attempt, by any organization—government or otherwise—to compromise Chrome users’ data. We have implemented protections from this specific issue, and will always take action to secure our users around the world,” Parisa Tabriz, senior engineering director for Chrome, said in a statement.
Researchers at the Censored Planet project at the University of MIchigan have been monitoring the interception effort in Kazakhstan since it began and their measurements show that the interception essentially ended on August 7. It would be a simple matter for the Kazakh government to obtain another root certificate and start the effort all over again, but it would also need to go through the process of forcing citizens to install it, too.