It is no secret that the governments of China and Russia like to control what their citizens do online. In fact, it is not that different in the US and Europe now, where most nations are passing (or have passed) laws that allow intelligence agencies to spy on citizens without a second thought for their privacy. Thankfully, in the West (France does want to make Tor illegal and block public Wifi) we are still able to turn to VPNs, Proxies, and Tor to encrypt our traffic – protecting ourselves from government surveillance.
In China, things are a bit tougher. The Great Firewall stops citizens from accessing sites that the government has deemed out of bounds (such as Twitter, Facebook, and even Wikipedia.) Making a joke about the government online can land you in prison, and to stop people getting around its controlling hand the country has even banned some VPN services (which allow Chinese citizens to overcome the stringent rules and hide their web traffic with encryption.)
In Russia (where the government isn’t exactly keen on a free and open internet for all either), the Kremlin has offered the equivalent of a $111,000 reward for anyone that can find a way to snoop on Tor Project users (the onion routing network that allows Internet users to anonymise themselves by redirecting their internet traffic through a worldwide network of relays). This method is even more efficient than a VPN for protecting yourself online (though using both is by far the most effective method of anonymising your digital footprint.)
Now, Kazakhstan – the rather large country sandwiched between China and Russia – has decided that it too wants access to all of its citizens internet traffic. Like its over-reaching neighbors it has its eyes firmly set on encrypted traffic, which it feels is where the juicy stuff probably resides.
So how do they plan to achieve this? To best imagine what the Kazakhstan government is planning it is useful to think of encryption like a wax sealed envelope that usually only your recipient can prise open. From January, the Kazakhstan government is insisting that all Internet Service Providers in the country circulate a ‘national security certificate’ to internet users. This is intended to apply to all systems, whether they be Microsoft, Apple Mac computers or tablets and smartphones running Android or iOS.
According to the Kazakhtelecom press release, the national security certificate will be sent out in December under the guise of being helpful. “The national security certificate will secure protection of Kazakhstan users when using coded access protocols to foreign Internet resources,” it says in the press release (archived version).
What this means is that the government actually has the keys to your “wax sealed envelope” – and plans to take a look and then re-seal it before allowing it to go on to its intended recipient – all in the name of national security. The problem is that when the government re-seals it will not look right when it arrives at its final destination.
The process is called a man-in-the-middle attack, and sadly anybody that has the certificate installed will suffer a MiTM attack at the hands of the Kazakhstan government – who will be able to gain access to all https traffic. This includes citizens’ passwords, financial details and other sensitive data and private communication – as well as giving the government the ability to block any sites that it wants to – by not putting them on the ‘whitelist’.
Even worse for the cybersecurity of Kazakhstani people, cybercriminals may also be able to make use of the middle-man position to spy on internet users traffic. This was demonstrated to be the case in this year’s eDellRoot certificate scandal – in which a preinstalled root certificate was proven to allow hackers to spy on sensitive data via a ‘backdoor.’
‘There are two certificates found on Dell machines, including a trusted eDellRoot root certificate. Our research indicates that Dell is intentionally shipping identical private keys in other models. This means an attacker could sniff a Dell user’s web browsing traffic and manipulate their traffic to deliver malware,’ Duo Security said.
Another problem is that encryption often works by validating that a client certificate actually came from point A when it arrives at point B. With the national security certificate, Kazakhstani traffic could find itself unable to meet the authorisation criteria at point B. That means web applications that make use of client certificates could stop working for people in Kazakhstan.
Yet another way that cyber criminals could profit is by managing to get their own certificate into circulation instead of the government’s official one – also allowing them to do what the government is planning on doing (spy on everyone’s https traffic.)
The honest answer is that at the moment we just do not know. Although some news services are reporting that it means the Kazakhstani government will be able to spy on citizens even if they use a VPN or Tor – considering the amount of trouble that China has had stopping people from bypassing the Great Wall makes it seem highly improbable.
Add to that the fact that Internet users will be expected to download the national security certificate themselves (which means that to work users will need to install the net-nanny style software on their own computers), and you certainly have the recipe for something that doesn’t seem very likely to be undertaken by the type of people who uses VPNs or Tor for security reasons.
Overall, the details of how it is going to work remain unclear at this time. Until the ‘national security certificate’ is actually released and implemented in January we are unlikely to know exactly how effective it is, or how easy it is to find a work around. For that reason, anybody with an interest in this issue is advised to come back in January for further information on what exactly has transpired. The best advice we can give at this time is to avoid the government issued certificate if possible – ignoring Kazakhtelecom’s advice to install it.