Skip to content

Google and Mozilla block Kazakhstan’s surveillance attempt on internet users

Google Chrome and Mozilla Firefox, alongwith other web browsers, have blocked the certificate issued by the Kazakhstan government, which had to be installed by internet users in the country, and could be used to intercept communications on HTTPS connections, even from outside the country.

Kazakhstan government’s fake root certification, analysed by Censored Planet last month, attempts to intercept internet traffic of its citizens on 37 website domains, including social media and communication tools like Facebook, YouTube, Instagram, Twitter and Google. Devices that don’t have these certificates installed are blocked by ISPs in the country from accessing the affected websites.

The fake certificate allows the government and ISPs to intercept user data via a man-in-the-middle attack on HTTPS connections. In such a scenario, the attacker can intercept the communication, decrypt it and encrypt it back before it gets sent to the user.

Such fake certificates aren’t trusted by browsers usually but installing them manually as a trusted certificate won’t send any red flags to the browser. And that’s what Kazakhstan’s government was banking on.

Google and Mozilla have taken action to curb this intrusion of privacy by deploying technical solutions unique to their browsers and blocking the certificates, which effectively obstruct the government’s ability to intercept internet traffic in the country.

“People around the world trust Firefox to protect them as they navigate the internet, especially when it comes to keeping them safe from attacks like this that undermine their security. We don’t take actions like this lightly, but protecting our users and the integrity of the web is the reason Firefox exists,” said Marshall Erwin, Senior Director of Trust and Security, Mozilla.

Earlier in 2015, Kazakhstan’s government had tried to get a root certificate installed in Mozilla’s trusted root store program to intercept internet traffic on the browser, but the request was denied after Mozilla found out the intention of the government.

Google Chrome has blocked the following certificates by the Kazakhstan government and will also be added to Chromium source code’s blocklist. This means that these certificates should also be blocked in other Chromium-based browsers.

  • SHA-256 Fingerprint (Qaznet Trust Network: 00:30:9C:73:6D:D6:61:DA:6F:1E:B2:41:73:AA:84:99:44:C1:68:A4:3A:15:
    BF:FD:19:2E:EC:FD:B6:F8:DB:D2)
  • SHA-256 of Subject Public Key info (Qaznet Trust Network: B5:BA:8D:D7:F8:95:64:C2:88:9D:3D:64:53:C8:49:98:C7:78:24:91:9B:64:EA:08:35:AA:62:98:65:91:BE:50)

“We will never tolerate any attempt, by any organization—government or otherwise—to compromise Chrome users’ data. We have implemented protections from this specific issue, and will always take action to secure our users around the world,” said Parisa Tabriz, Senior Engineering Director, Chrome.

Also read: What is a Credential-based cyberattack?

Domains affected by the certificate

The following 37 domains were found to be affected by Censored Planet out of the 10,000 domains tested by them.

  • allo.google.com
  • android.com
  • cdninstagram.com
  • dns.google.com
  • docs.google.com
  • encrypted.google.com
  • facebook.com
  • goo.gl
  • google.com
  • groups.google.com
  • hangouts.google.com
  • instagram.com
  • mail.google.com
  • mail.ru
  • messages.android.com
  • messenger.com
  • news.google.com
  • ok.ru
  • picasa.google.com
  • plus.google.com
  • rukoeb.com
  • sites.google.com
  • sosalkino.tv
  • tamtam.chat
  • translate.google.com
  • twitter.com
  • video.google.com
  • vk.com
  • vk.me
  • vkuseraudio.net
  • vkuservideo.net
  • www.facebook.com
  • www.google.com
  • www.instagram.com
  • www.messenger.com
  • www.youtube.com
  • youtube.com

Also read: What is Differential Privacy and does it keep user data anonymous?

Hello There!

If you like what you read, please support our publication by sharing it with your friends, family and colleagues. If you're running an Adblocker, we humbly request you to whitelist us.

Share on facebook
Share on whatsapp
Share on twitter
Share on reddit
Share on linkedin
Share on pocket
Share on pinterest
Share on telegram
Share on stumbleupon
Share on digg
Share on tumblr
Share on email
Share on skype
Share on xing
Share on vk
Share on odnoklassniki
Share on mix








>