, ΠΈ announced the premises of the implemented in Kazakhstan "Β» to the list of revoked certificates. Using this root certificate will now result in a security warning in Firefox, Chrome/Chromium, and Safari, as well as derivative products based on their code.
Recall that in July in Kazakhstan there was setting state control over secure traffic to foreign sites under the pretext of protecting users. Subscribers of a number of large providers were ordered to install a special root certificate on their computers, which would allow at the provider level to quietly intercept encrypted traffic and wedge into HTTPS connections.
At the same time there were attempts to use this certificate in practice to replace traffic to Google, Facebook, Odnoklassniki, Vkontakte, Twitter, YouTube and other resources. When establishing a TLS connection, the real certificate of the target site was replaced by a new certificate generated on the fly, which was marked by the browser as valid if the "national security certificate" was added by the user to the root certificate store, since the fake certificate is linked by a chain of trust with the "national security certificate". Without installing this certificate, it was not possible to establish a secure connection with the mentioned sites without the use of additional tools, such as Tor or VPN.
The first attempts to spy on secure connections in Kazakhstan were made in 2015, when the government of Kazakhstan achieve the inclusion of the root certificate of the controlled certification authority in the Mozilla root certificate store. During the audit, the intention to use this certificate to spy on users was revealed, and the application was rejected. A year later in Kazakhstan there were
amendments to the law "On Communications", which require the installation of a certificate by users themselves, but in practice, forcing this certificate began only in mid-July 2019.
Two weeks ago, the introduction of a "national security certificate" with the explanation that this was only a test of the technology. Providers have been instructed to stop imposing certificates on users, but in two weeks of implementation, many Kazakh users have already installed the certificate, so the potential for traffic interception has not disappeared. With the curtailment of the project, the risk of the encryption keys associated with the βnational security certificateβ falling into other hands as a result of data leakage also increased (the generated certificate is valid until 2024).
The imposed certificate, which cannot be refused, violates the certification authority verification scheme, since the authority that generated this certificate did not pass a security audit, did not agree with the requirements for certification centers and is not required to follow the established rules, i.e. can issue a certificate for any site to any user under any pretext.
Mozilla believes that such activity undermines the security of users and is contrary to the fourth principle. , which considers security and privacy as fundamental factors.
Source: opennet.ru