1. 60
  1.  

  2. 20

    A translation of the announce on: https://www.kcell.kz/ru/product/3585/658

    Due to increasingly frequent cases of personal information theft and bank account hijacking, we are introducing a security certificate that will become an efficient way to protect the country from hackers, scammers, and other cyberthreats.

    Deployment of the security certificate will help us protect your data and stop attacks befoore they succeed.

    The security certificate is a set of digital data that is required for encrypted protocols to wrk. It will help protect the Kazakh people from attacks and illegal content.

    You should install the certificate on every device connected to the Internet, else there will be technical difficulties with accessing particular resources.

    1. 14

      Thank you for the translation. Wow - the terrifying part of that is that so many people will read it and not understand the implications.

      1. 4

        Yes: Omission of information is effectively the same as misinformation!

        They present it as adding encryption, when it really is about replacing it with what your government can decrypt, and the way security is improved here is by enabling government spying.

    2. 13

      If we’re discussing pushing around governments, it would sure be nice if it was the job lf an international nonprofit actually responsible for the infrastructure like IANA or IETF instead of private companies…

      1. 4

        You can’t even get the certs over tls (misconfigured… to use their own CA)

        1. 3

          My instinct: This is a totalitarian act. → Time to flee.

          You should not need to trust your privacy to anyone, and the Kazakh government doesn’t look worthy of an exception:

          In 2005, the World Bank listed Kazakhstan as a corruption hotspot, on a par with Angola, Bolivia, Kenya, Libya and Pakistan.

          1. 1

            What in this image indicates a MITM attack?

            1. 5

              If I interpret it correctly, atlas.ripe.net has a probe somewhere in KZ, and this probe tried to establish a connection with a facebook server. The other end of the connection basically said: “Hello, this is Facebook. Of course we can prove you’re directly talking to us. See this certificate.” - The problem is, this certificate is not signed by “DigiCert Inc” from “US”, which a standard browser should be able to verify on its own. Instead the fake-facebook certificate was signed by “No Data” from “KZ”, which your browser will only accept if you manually install that strange root certificate the KZ government wants you to install.

              1. 4

                Uhm, the fake cert? ;)

                To clarify, it’s not a MITM attack in the normal sense. It’s a government mandating people to install fake certs on their devices so that the government can spy on them.

                1. 3

                  It is an attack, because they are redirecting traffic to go through their servers, which then present a fradulent certificate that chains up to the government certificate.

                  1. 1

                    And yet, it is a democratic republic of 18 million people. If it can happen there, it can happen anywhere. Government mandated security certificates imposed on its citizens is equivalent to a MITM attack if enforced by law.

                    1. 14

                      And yet, it is a democratic republic of 18 million people.

                      Worth noting from Freedom House:

                      President Nursultan Nazarbayev has ruled Kazakhstan since 1991. Parliamentary and presidential elections are not free or fair, and all major parties exhibit political loyalty to the president. The authorities have consistently marginalized or imprisoned genuine opposition figures. The dominant media outlets are either in state hands or owned by government-friendly businessmen. Freedoms of speech and assembly remain restricted, and corruption is endemic.

                      While it is a democratic republic in name, it differs considerably from what I think we all imagine when we hear those words.

                      1. 2

                        Nazarbayev has stepped down as president as of 19 Mar 2019:

                        https://en.wikipedia.org/wiki/Nursultan_Nazarbayev

                        1. 7

                          https://astanatimes.com/2018/07/kazakh-president-given-right-to-head-national-security-council-for-life/

                          He was made lifetime chairman of the national security council and its powers expanded on his appointment

                          The decisions of the security council and the chairman of the security council are mandatory and are subject to strict execution by state bodies, organisations and officials of the Republic of Kazakhstan

                          I’d imagine things haven’t changed all that much.

                          1. 3

                            Agreed, the relinquishing of the presidency looks like window-dressing to me.

                            (Edit: clarification)

                      2. 4

                        It is neither democratic nor a republic.

                  2. 1

                    With TLS 1.3, that’s going to be one slow or very expensive MITM.

                    1. 4

                      Howso?

                      1. 6

                        TLS 1.3 only allows for perfect forward secret cipher suites so they can’t just passively send all the traffic to a bucket and decrypt it later. the proxying would have to be actively participating for all outbound connections to get the ephemeral keys.

                        1. 4

                          TLS man-in-the-middle is only passive if you can make the endpoint (e.g., facebook) use a shitty cert. That’s rather unlikely for services outside of their jurisdiction, but likely to happen for resources within KZ.

                          They can’t also do it passively for, say, facebook. If they want to use the fradulent certificate they have to talk to the endpoint server using normal secure TLS (1.2, 1.3 doesn’t matter), decrypt using the endpoint’s certificate & TLS and then re-encrypt to the victim of the attack.