Recently, the government of Kazakhstan temporarily forced citizens to install a Certificate Authority (CA) which allows the state to decrypt all content and communications in a Man-in-the-middle Attack.
The certificate even allows the government to alter data, and trick users into running and downloading viruses and spyware. The initiative by the Kazakh government may have failed for now, but the threat is real.
Certificate Authorities explained
A Certificate Authority verifies that a website is who it says it is when encrypting data between its servers and you. The CA will sign the website’s encryption certificate, which is presented to the user every time you open a website.
Browser and Operating System vendors can’t possibly validate ownership of all websites on their own, so they delegate that to a number of trusted CAs. All CAs must have processes and checks in place to ensure certificates are only issued to the rightful owner of a domain.
For example, when visiting your bank’s website, you want to be sure you’re really using your bank’s website and not an imposter. So your browser will checks that the certificate presented by the website is issued by a trusted CA, thereby forming a “chain of trust” which provides proof that you’re really using the correct site.
In the past, there have been several cases where browser and OS vendors have taken the rights away from CAs because they’ve been proven to be incompetent or malicious in how they issue certificates. If the certificate authority signs requests for others, such as nation states or hackers, the system does not work.
Your computer comes with a set of certificate authorities pre-installed, while Firefox uses its own list, vetted by its own experts. Kazakhstan has been trying to get their malicious certificate authority included in Firefox, but Mozilla politely declined. The CA is also not included in any other major browser. It is, however, possible to manually add any CA.
A fake Certificate Authority
By creating their own certificate authority, the Kazakhi government is attempting to side-step this important chain of trust by giving themselves the ability to impersonate any site they want.
As long as they control the data stream, they are able to present any server as ‘legitimate’ and use it to phish your credentials. For example, the valid certificate of Twitter.com proves that you really are connected to Twitter, and that it is safe to enter your username and password. However, if your computer trusts a fake CA, somebody else might direct your connection to their own server, posing as Twitter.
What is a HTTPS certificate
Hypertext Transfer Protocol Secure (HTTPS) is a protocol used to encrypt websites. When you navigate to a website that supports HTTPS (by now the majority of all sites), an encrypted channel is set up between your device and the website’s server, making sure nobody inbetween is able to read your passwords or sensitive information. This is often indicated with a green lock in the browser’s address bar.
To verify whether your computer is connected to the “real” bank website, instead of a clone, the HTTPS certificate is signed by a CA. When you navigate to the site, the server will present an electronic signature showing that the authority has verified that it belongs to the website you are trying to visit.
Since HTTPS is very reliable when not subverted, a vast majority of websites and applications rely solely on the security provided by HTTPS in order to keep data safe in transit.
Encryption as simple as HTTPS can have a strong effect on online security and privacy, which is why authoritarian regimes are prone to attack it.
Especially in states with unreliable legal systems and a lack of accountability to power, we cannot trust governments with access to our private data. As countless examples have shown, private information (such as credit card information and private messages) will trickle down into the hands of regional departments, then individual officers and eventually into organized crime, where it threatens the stability of society.