Apple, Google, Mozilla take steps to block Kazakhstan government surveillance

Following moves by Google and Mozilla to block a Kazakhstan government-mandated certificate that facilitated state-sponsored internet surveillance, Apple has done the same in Safari.

In July, the Kazakhstan National Security Committee said that it was rolling out a government encryption certification to protect citizens from "hacker attacks, online fraud and other kinds of cyber threats." In practice, it was a classic example of a "Man in the middle" attack, that not only allowed the government to read any and all content posted on the internet by the user, it also allowed governmental-sponsored password and credential harvesting.

On Wednesday morning, Apple, Google, and Mozilla made moves to revoke the trusted status of the certificate that the Kazakh ISPs were forced to adopt. Additionally, according to Google and Mozilla, both are introducing "technical solutions" that will prevent the system from functioning in the future.

"Apple believes privacy is a fundamental human right and we design every Apple product from the ground-up to protect personal information," the company said in a statement to AppleInsider and other venues. "We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue."

Reuters reports that Apple hadn't yet taken measures, but AppleInsider has confirmed that the protections have been in place for at least 12 hours.

"People around the world trust Firefox to protect them as they navigate the internet, especially when it comes to keeping them safe from attacks like this that undermine their security," Senior Director of Trust and Security at Mozilla Marshall Erwin said in a statement. "We don't take actions like this lightly, but protecting our users and the integrity of the web is the reason Firefox exists."

Google had a similar response to the matter, saying that "we have implemented protections from this specific issue, and will always take action to secure our users around the world."

The Kazakh government shut down the system on August 7. It said that the roll-out was only a test, and declared that should attacks increase again it could, and would, deploy the system again.

Latest Exclusives

Latest comparisons

10 Comments

razorpit 17 Years · 1793 comments

About 5 years ago

Apparently, Kazakhstan has a lot less revenue to offer than the Chinese market does. So now we have an upper and lower bracket on the amount of government interference Google allows.

22july2013 11 Years · 3736 comments

razorpit said:

Apparently, Kazakhstan has a lot less revenue to offer than the Chinese market does. So now we have an upper and lower bracket on the amount of government interference Google allows.

Insightful. Thanks.

gatorguy 13 Years · 24627 comments

AppleInsider said:

Following moves by Google and Mozilla to block a Kazakhstan government-mandated certificate that facilitated state-sponsored internet surveillance, Apple has done the same in Safari.

On Wednesday morning, Apple, Google, and Mozilla made moves to revoke the trusted status of the certificate that the Kazakh ISPs were forced to adopt. Additionally, according to the pair, both are introducing "technical solutions" that will prevent the system from functioning in the future.

"The pair" in this case refers to Mozilla and Google.

A bit more on why this is a huge issue:
"...browsers implicitly trust certificates that have been locally installed on a user’s computer or smartphone, (and this) behavior raised serious security concerns.
Once installed, the (Kazakhstan Government's) certificate — used to validate a website’s identity — makes it possible to stage Man in the Middle (MITM) attacks on HTTPS connections. It allows the government to decrypt internet traffic and read whatever a user types or posts, including their passwords."
“We also strongly encourage anyone who followed the steps to install the Kazakhstan government root certificate to remove it from your devices and to immediately change your passwords, using a strong, unique password for each of your online accounts,” Mozilla cautioned.
So going forward "the browsers will not trust the certificate even if it has been installed manually — locally installed certificates are normally trusted as they are often needed for development purposes and for internal traffic monitoring in enterprise environments.
Other than Mozilla's suggestions “No action is needed by users to be protected. In addition, the certificate will be added to a blocklist in the Chromium source code and thus should be included in other Chromium based browsers in due course,” said Andrew Whalley of the Chrome Security team.

razorpit said:

Apparently, Kazakhstan has a lot less revenue to offer than the Chinese market does. So now we have an upper and lower bracket on the amount of government interference Google allows.

Ummmm... Google's browser isn't in China. Perhaps you had meant Apple?

jbdragon 10 Years · 2312 comments

What is to stop the Kazakhstan government to just get a new certificate? Then hide that fact? They can go even further to require any phone sold in that country to use their own browser. Or already have their own certificate. Whatever it may be to continue to spy on everyone. Maybe require a BACKDOOR into the phone!!!