Privacy Need Not Apply: Kazakhstan Decrypts HTTPS Traffic for its Citizens
About two weeks ago, reports began to surface in the former Soviet Republic of Kazakhstan that popular social media and communications websites began showing certificate trust errors unless users installed a government-issued certificate into their browser. According to ZDNet, there are 37 domains currently being HTTPS decrypted, including Google, Twitter, Facebook, Instagram, and mail.ru. This marks a dramatic change in how ISPs serve internet traffic to its customers. HTTPS (encrypted internet connections) is a fundamental tool of the internet, allowing traffic to be sent securely between two parties without anyone eavesdropping in the middle to decrypt the communication. Encrypted internet traffic securely allows trillions of dollars to transfer hands daily, patients to securely communicate with their doctors, and dissidents to provide information to reporters. While the government of Kazakhstan assures its citizens that the decrypting of encrypted traffic is to ensure their safety from malware, many watchdog groups remain skeptical.
As Spiderman’s Uncle Ben famously opined, “With great power comes great responsibly.” and the capability to intercept HTTPS traffic is extraordinarily powerful. HTTPS over the internet serves to protect both the confidentiality and integrity of the data. TLS over HTTP encrypts the traffic so that only the sender and the recipient can read the communication. It would be the equivalent of a customer and a banker discussing sensitive banking information in Navajo while in a crowded room. Unless someone else within earshot understands the Native American language, the communication is considered secure. HTTPS also cryptographically guarantees the integrity of the data that no party altered the data in transit. If someone buying a house issues a wire transfer to their real estate escrow company, they want to ensure that an intercepting party has not altered the receiving account number to one belonging to a hacker group in North Korea. Intercepting HTTPS traffic fundamentally breaks confidentiality and integrity and allows the government of Kazakhstan to read the information that is supposed to be confidential or alter its contents without the sender or receiver knowing what had occurred. By breaking the integrity of the data, the government of Kazakhstan could intercept the download of a popular application and replace it with a version of the application that contains spyware or monitoring software and the recipient would not be informed.
HTTPS and TLS encrypted communications require installed SSL certificates on both the client and the server. A Man-in-the-Middle (MitM) proxy sitting between the client and server terminates the TLS connection, inspect the contents of the transaction, alter it if needed, then re-encrypt the transaction using a certificate installed on the proxy. No legitimate, trusted certificate authority issues a certificate which allows for the interception of all internet traffic. That is because many popular browsers and operating systems come pre-installed with trusted root certificate authorities that allow secure communications to take place in the first place. Since the MitM proxy necessarily uses a self-signed certificate, clients accessing websites through the MitM proxy must manually trust the certificate authorities represented by the proxy service, and that is precisely what is happening in the former Soviet Republic. Users in Kazakhstan are receiving certificate trust errors when accessing websites on the list of actively intercepted services unless they install the self-signed certificate on their machine. To help facilitate this change, internet service providers in Kazakhstan are directing users to webpages hosting the certificates and instructions on how to install them. Before someone points out that my employer is the market leader in performing SSL Inspection at scale, there are benign and legitimate security uses of TLS inspection. Third-party audits, privacy policies, and internal safeguards help guarantee that private data is never improperly accessed, shared, or written to disk.
At the time of writing, the dominant operating system and browser vendors Google, Mozilla, and Microsoft are discussing a response to this radical shift in policy by the government of Kazakhstan. These tech titans can blacklist the government-issued certificate and thereby igniting an arms race. Open source browsers can be compiled with the government certificate pre-installed, but maintaining that separate fork of the software would require extensive resources and would not be sustainable long term. Other oppressive regimes are likely looking at this experiment to determine if it will work for them as well. It’s a high-risk game of chicken to find out if the government of Kazakhstan will bow to pressure from its citizens because the internet will become unusable without the help of these tech titans or if they will find a way to circumvent their required support. The future of privacy on the internet may very well depend on the outcome of this social experiment. Recent reports are coming in that not every ISP is performing the MitM HTTPS interception and that the interception is being turned on and off at random times. These reports appear to indicate that they are soft-launching this “feature” and waiting for technical data as well as public reaction before amping up the controls by requiring every ISP to implement the interception or increasing the number of websites subject to interception.
There is something to be said that Kazakhstan is still allowing its citizens to visit the social media and communications websites, albeit without any privacy or integrity. Countries like China and Russia have entirely banned the use of these sites and privacy-centric services in favor of in-country equivalent solutions, presumably, with backdoors the allow snooping without breaking HTTPS. This is not the first time the government of Kazakhstan attempted to decrypt all secure communications in 2015, but failed due to public and industry pressure. It would seem that the former Soviet Republic does not have enough resources to launch their versions of these applications and do not wish to rely on their former rulers in Moscow to share the source code of their creations.
The government of Kazakhstan insists that these measures are necessary to protect its citizens from an increasing number of attacks from encrypted channels. Data from security researchers seem to support their statement on the rise of encrypted threats. However, the government of Kazakhstan does not have a stellar reputation for freedom of the press or freedom of speech and ranks 158 out of 180 countries on the World Press Freedom Index according to reporters without borders.
With a 400% increase in phishing attacks utilizing SSL or TLS-based encryption, it becomes essential to inspect this traffic for malicious data. However, proper security and privacy controls need to be in place so that traffic can be scanned without violating users’ privacy. The government of Kazakhstan has not proven that they are decrypting traffic for benign purposes. Perhaps US President Ronald Regan had it right after all when he said “The nine most terrifying words in the English language are, ‘I’m from the government and I’m here to help.’”