Google and Mozilla today took action to protect the online security and privacy of internet users in Kazakhstan following credible reports that the Kazakhstan government was intercepting internet traffic within the country.
A report published on Censoredplanet.org presented evidence that Kazakhstan’s internet providers were requiring users to download and install a government-issued certificate on all devices and in every browser in order to access the internet.
Once a user downloads the certificate, the government is able to intercept account information and passwords belonging to that user and can decrypt and read everything the user types and posts. This style of attack is known as a man-in-the-middle (MitM).
The HTTPS connections targeted by Kazakhstan’s government read like the list of websites an anxious parent might search when trying to track down their unruly teenager. They include Instagram, Facebook, Twitter, YouTube, Google Hangouts and Russian social network OK.RU.
The Censored Planet reported stated that “although the interception is not yet occurring country-wide, it appears the government is both willing and potentially capable of widespread HTTPS interception in the near future.”
Browser companies Google and Mozilla deployed technical solutions within Chrome and Firefox to block the Kazakhstan government’s ability to intercept internet traffic within the country.
Marshall Erwin, senior director of trust and security at Mozilla, said: “Protecting our users and the integrity of the web is the reason Firefox exists.”
Speaking on behalf of Chrome, Parisa Tabriz, senior engineering director, said: “We will never tolerate any attempt, by any organization – government or otherwise – to compromise Chrome users’ data.”
What the Kazakhstan government lacks in subtlety when it comes to spying on the online activity of its citizens, it makes up for in persistence.
The Kazakhstan government put in a request with Mozilla back in 2015 to have a root certificate included in the company’s trusted root store program. The request was denied when Mozilla discovered that the government intended to use the certificate to intercept users’ data.
Undeterred, the government tried to force its citizens to manually install the certificate, but its ruse failed when organizations took legal action.