Kazakhstan man-in-the-middle attack

In 2015, the government of Kazakhstan created a root certificate which could have enabled a man-in-the-middle attack on HTTPS traffic from Internet users in Kazakhstan. The government described it as a "national security certificate". If installed on users' devices, the certificate would have allowed the Kazakh government to intercept, decrypt, and re-encrypt any traffic passing through systems it controlled.^[1]^[2]

In July 2019, Kazakh ISPs started messaging their users that the certificate, now called the Qaznet Trust Certificate,^[3] issued by the state certificate authority the Qaznet Trust Network, would now have to be installed by all users.^[4]^[5]

Sites operated by Google, Facebook and Twitter appeared to be among the Kazakh government's initial targets.^[6]

On August 21, 2019,

trusted root store of any of its browsers, and would not have any effect unless a user manually installed it.^[9]

In December 2020, the Kazakh government attempted to re-introduce the government-issued root certificate for a third time.[10] In response to this, browser vendors again announced that they would block any such attempt by invalidating the certificate in their browsers.^[11]

References

^ Nurmakov, Adil (2015-12-05). "Experts Concerned Kazakhstan Plans to Monitor Users' Encrypted Traffic". Digital Report. Retrieved 2019-07-18.
^ Nichols, Shaun (3 Dec 2015). "Is Kazakhstan about to man-in-the-middle diddle all of its internet traffic with dodgy root certs?". The Register. Retrieved 2019-07-18.
IT PRO
. 19 July 2019. Retrieved 2019-08-21.

IT PRO
. Retrieved 2019-07-19.

^ Raman, Ram Sundara; Evdokimov, Leonid; Wustrow, Eric; Halderman, Alex; Ensafi, Roya (July 23, 2019). "Kazakhstan's HTTPS Interception". Censored Planet. University of Michigan. Retrieved 2019-08-21.

^ ^a ^b Paris, Martine (2019-08-21). "Google and Mozilla block Kazakhstan root CA certificate from Chrome and Firefox". VentureBeat. Retrieved 2019-08-21.

^ Thayer, Wayne (2019-08-21). "Protecting our Users in Kazakhstan". Mozilla Security Blog. Retrieved 2019-08-21.

^ Whalley, Andrew (2019-08-21). "Protecting Chrome users in Kazakhstan". Google Online Security Blog. Retrieved 2019-08-21.

^ Brodkin, Jon (2019-08-21). "Google, Apple, and Mozilla block Kazakhstan government's browser spying". Ars Technica. Retrieved 2019-08-22.

^ Cimpanu, Catalin. "Kazakhstan government is intercepting HTTPS traffic in its capital". ZDNET. Retrieved 2020-12-18.

^ Moon, Mariella (2020-12-18). "Tech giants will block Kazakhstan's web surveillance efforts again". Engadget. Retrieved 2020-12-18.

v
t
e
TLS and SSL
Protocols and technologies

Transport Layer Security / Secure Sockets Layer (TLS/SSL)

Datagram Transport Layer Security (DTLS)

Server Name Indication (SNI)

Application-Layer Protocol Negotiation (ALPN)

DNS-based Authentication of Named Entities (DANE)

DNS Certification Authority Authorization (CAA)

HTTPS

HTTP Strict Transport Security (HSTS)

HTTP Public Key Pinning (HPKP)

OCSP stapling

Opportunistic TLS

Perfect forward secrecy

Public-key infrastructure

Automated Certificate Management Environment
(ACME)

Certificate authority (CA)

CA/Browser Forum

Certificate policy

Certificate revocation
Certificate revocation list (CRL)

Online Certificate Status Protocol (OCSP)

OCSP stapling

Domain-validated certificate (DV)

Extended Validation Certificate (EV)

Public key certificate

Public-key cryptography

Public key infrastructure (PKI)

Root certificate

Self-signed certificate

See also

Domain Name System Security Extensions (DNSSEC)

Internet Protocol Security
(IPsec)

Secure Shell (SSH)

History

Export of cryptography from the United States

Server-Gated Cryptography

Implementations

Bouncy Castle

BoringSSL

Botan

BSAFE

cryptlib

GnuTLS

JSSE

LibreSSL

MatrixSSL

mbed TLS

NSS

OpenSSL

s2n

SChannel

SSLeay

stunnel

wolfSSL

Notaries

Certificate Transparency

Convergence

HTTPS Everywhere

Perspectives Project

Vulnerabilities
Theory

Man-in-the-middle attack

Padding oracle attack

Cipher

Bar mitzvah attack

Protocol

BEAST

BREACH

CRIME

DROWN

Logjam

POODLE (in regards to SSL 3.0)

Implementation

Certificate authority compromise

Random number generator attacks

FREAK

goto fail

Heartbleed

Lucky Thirteen attack

POODLE (in regards to TLS 1.0)

Kazakhstan MITM attack

Retrieved from "https://en.wikipedia.org/w/index.php?title=Kazakhstan_man-in-the-middle_attack&oldid=1217998223"

[1] Nurmakov, Adil (2015-12-05). "Experts Concerned Kazakhstan Plans to Monitor Users' Encrypted Traffic". Digital Report. Retrieved 2019-07-18.

[2] Nichols, Shaun (3 Dec 2015). "Is Kazakhstan about to man-in-the-middle diddle all of its internet traffic with dodgy root certs?". The Register. Retrieved 2019-07-18.

[3] IT PRO
. 19 July 2019. Retrieved 2019-08-21.

[4] IT PRO
. Retrieved 2019-07-19.

[5] Raman, Ram Sundara; Evdokimov, Leonid; Wustrow, Eric; Halderman, Alex; Ensafi, Roya (July 23, 2019). "Kazakhstan's HTTPS Interception". Censored Planet. University of Michigan. Retrieved 2019-08-21.

[venturebeat.com-2019-08-21-6] Paris, Martine (2019-08-21). "Google and Mozilla block Kazakhstan root CA certificate from Chrome and Firefox". VentureBeat. Retrieved 2019-08-21.

[7] Thayer, Wayne (2019-08-21). "Protecting our Users in Kazakhstan". Mozilla Security Blog. Retrieved 2019-08-21.

[8] Whalley, Andrew (2019-08-21). "Protecting Chrome users in Kazakhstan". Google Online Security Blog. Retrieved 2019-08-21.

[9] Brodkin, Jon (2019-08-21). "Google, Apple, and Mozilla block Kazakhstan government's browser spying". Ars Technica. Retrieved 2019-08-22.

[10] Cimpanu, Catalin. "Kazakhstan government is intercepting HTTPS traffic in its capital". ZDNET. Retrieved 2020-12-18.

[11] Moon, Mariella (2020-12-18). "Tech giants will block Kazakhstan's web surveillance efforts again". Engadget. Retrieved 2020-12-18.

[1]

[2]

[3]

[4]

[5]

[6]

[9]

[11]