Google Chrome and Mozilla Firefox, alongwith other web browsers, have blocked the certificate issued by the Kazakhstan government, which had to be installed by internet users in the country, and could be used to intercept communications on HTTPS connections, even from outside the country.
Kazakhstan government’s fake root certification, analysed by Censored Planet last month, attempts to intercept internet traffic of its citizens on 37 website domains, including social media and communication tools like Facebook, YouTube, Instagram, Twitter and Google. Devices that don’t have these certificates installed are blocked by ISPs in the country from accessing the affected websites.
The fake certificate allows the government and ISPs to intercept user data via a man-in-the-middle attack on HTTPS connections. In such a scenario, the attacker can intercept the communication, decrypt it and encrypt it back before it gets sent to the user.
Such fake certificates aren’t trusted by browsers usually but installing them manually as a trusted certificate won’t send any red flags to the browser. And that’s what Kazakhstan’s government was banking on.
Google and Mozilla have taken action to curb this intrusion of privacy by deploying technical solutions unique to their browsers and blocking the certificates, which effectively obstruct the government’s ability to intercept internet traffic in the country.
“People around the world trust Firefox to protect them as they navigate the internet, especially when it comes to keeping them safe from attacks like this that undermine their security. We don’t take actions like this lightly, but protecting our users and the integrity of the web is the reason Firefox exists,” said Marshall Erwin, Senior Director of Trust and Security, Mozilla.
Earlier in 2015, Kazakhstan’s government had tried to get a root certificate installed in Mozilla’s trusted root store program to intercept internet traffic on the browser, but the request was denied after Mozilla found out the intention of the government.
Google Chrome has blocked the following certificates by the Kazakhstan government and will also be added to Chromium source code’s blocklist. This means that these certificates should also be blocked in other Chromium-based browsers.
- SHA-256 Fingerprint (Qaznet Trust Network: 00:30:9C:73:6D:D6:61:DA:6F:1E:B2:41:73:AA:84:99:44:C1:68:A4:3A:15:
- SHA-256 of Subject Public Key info (Qaznet Trust Network: B5:BA:8D:D7:F8:95:64:C2:88:9D:3D:64:53:C8:49:98:C7:78:24:91:9B:64:EA:08:35:AA:62:98:65:91:BE:50)
“We will never tolerate any attempt, by any organization—government or otherwise—to compromise Chrome users’ data. We have implemented protections from this specific issue, and will always take action to secure our users around the world,” said Parisa Tabriz, Senior Engineering Director, Chrome.
Also read: What is a Credential-based cyberattack?
Domains affected by the certificate
The following 37 domains were found to be affected by Censored Planet out of the 10,000 domains tested by them.