Do you remember this post about Kazakhstan government attempts to deploy a root certificate in order to start a spying campaign of citizen’s HTTPS traffic?
Google, Microsoft, and Mozilla are discussing a plan of action…https://www.andreafortuna.org/2019/07/19/kazakhstan-government-begins-intercepting-all-citizens-https-traffic/
Well, good news!
Some days ago Google, Mozilla and Apple‘s response has arrived: both companies announced that they are blocking the root certificate.
Below the Google announcement:
When making secure connections, Chrome trusts certificates that have been locally installed on a user’s computer or mobile device. This allows users to run tools to inspect and debug connections during website development, or for corporate environments to intercept and monitor internal traffic. It is not appropriate for this mechanism to be used to intercept traffic on the public internet. In response to recent actions by the Kazakhstan government, Chrome, along with other browsers, has taken steps to protect users from the interception or modification of TLS connections made to websites. Chrome will be blocking the certificate the Kazakhstan government required users to install:https://security.googleblog.com/2019/08/protecting-chrome-users-in-kazakhstan.html
The certificate has been added to CRLSet. No action is needed by users to be protected. In addition, the certificate will be added to a blocklist in the Chromium source code and thus should be included in other Chromium based browsers in due course.
…here the blog post from Mozilla:
To protect our users, Firefox, together with Chrome, will block the use of the Kazakhstan root CA certificate. This means that it will not be trusted by Firefox even if the user has installed it. We believe this is the appropriate response because users in Kazakhstan are not being given a meaningful choice over whether to install the certificate and because this attack undermines the integrity of a critical network security mechanism. When attempting to access a website that responds with this certificate, Firefox users will see an error message stating that the certificate should not be trusted.https://blog.mozilla.org/security/2019/08/21/protecting-our-users-in-kazakhstan/
…and here a statement sent by Apple to iMore:
Apple believes privacy is a fundamental human right, and we design every Apple product from the ground up to protect personal information. We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue.https://www.imore.com/apples-blocks-kazakhstans-spy-certificate-google-mozilla-well
We encourage users in Kazakhstan affected by this change to research the use of virtual private network (VPN) software, or the Tor Browser, to access the Web.. We also strongly encourage anyone who followed the steps to install the Kazakhstan government root certificate to remove it from your devices and to immediately change your passwords, using a strong, unique password for each of your online accounts.https://blog.mozilla.org/security/2019/08/21/protecting-our-users-in-kazakhstan/
References and further readings