Kazakhstan: A Poorly Thought-out Surveillance Technique or an Experiment For the West?
As of 1st January 2016, Kazakhstan will begin enforcing a new law that requires the presence of a "national security certificate" on every internet-capable device in the country, allowing the government to conduct surveillance.
The Government of the Kazakhstan plans to implement a new internet control policy for the whole population starting from 1st January 2016. The announcement was published by Kazakhtelecom JSC, the largest telecommunications company in the country, on Monday 30th November 2016; and stated the government would oblige the population to install a "national security certificate" on every internet-capable device in the country (most likely a root certificate of authority (CA) like the ones found in Lenovo's Superfish and Dell's Superfish 2.0 scandals), including desktops and mobile devices; leaving Kazakhtelecom (the ISP) able to carry out ‘man-in-the middle (MitM) attacks; all the other operators would be obliged by law to do the same, meaning that all HTTPS connections in Kazakhstan will be inspected.
This would allow the Kazakh government to monitor all web traffic on both desktop and mobile devices, and closely resembles China’s so-called Great Firewall. However, in contrast with China, which filters data through an expensive and complex digital infrastructure known as the Great Firewall, security experts say Kazakhstan are trying to achieve the same effect at a lower cost. The country is mandating that its citizens install a new “national security certificate” on their computers and smartphones that will intercept requests to and from foreign websites.
Then overnight on Wednesday, the page mysteriously vanished, with the URL now redirecting to the main Kazakhtelecom home page. However, it forgot that the Internet doesn’t forget and the posting is still available in Google Cache. In addition, Kazakhtelecom website, in December, will publish detailed instructions on how citizens can install the security certificates on every internet-capable device in the country.
“According to the law, telecom operators are obliged to perform traffic pass using protocols that support coding using security certificate, except traffic, coded by means of cryptographic information protection on the territory of the Republic of Kazakhstan,”
This means that carriers will be obliged to keep account of users who don't install the code, too, so people can't count on slipping under the radar. Telecom companies must monitor which internet users on its networks have not installed the certificate, according to a translation of the statement.
“The national security certificate will secure protection of Kazakhstan users when using coded access protocols to foreign Internet resources.” (archived here) That means that the Kazakhstan government particularly wants to look at a user's internet traffic before it can be encrypted by services like virtual private networks (VPN) or Tor, which keep a user's internet traffic anonymous by routing it through servers all over the world. That gives officials the opportunity to monitor mobile and web traffic between Kazakh users and foreign servers, in what security experts call a “man in the middle attack”, by bypassing encryption protections known as S.S.L., or Secure Sockets Layer, and H.T.T.P.S., technology that encrypts browsing sessions and is familiar to users by the tiny padlock icon that appears in browsers,
Ordering people to install a “malicious” certificate will let the Kazakhstan government spy on virtually any online traffic on devices with the certificate installed, whether or not it's encrypted, to steal people’s passwords, financial details and other important data. It allows the government to control the population, and to censor webpages before users are able to access them (literally whatever they want). Officials will not only be able to see Internet users’ content, but also block this data entirely.
This backdoor access is exactly what some officials have called for. They want companies like Apple to keep a master key, which the companies would use to unlock encryption when asked by law enforcement. But technology companies and lawmakers have pushed back against the request.
Corporations embrace similar systems to prevent employees from visiting certain websites at work, to be protected against information theft, or to scan for malicious computer viruses. But the circumstance of a local authority providing the certificate, in contrast with its statements that this new mandate will prevent “man in the middle attacks” relating to foreign servers, there is a widespread sense that this is simply a lightly covert maneuver intended to install citizen surveillance.
To make it easier to understand the depth of the problem, remember all the little things we do on the internet in one day, like checking our email, checking our bank balance, or going shopping. All the websites we visited for these tasks display a small padlock icon in the left corner of the browser window, which indicates that the data we are sending and receiving is encrypted and consequently protected from malicious interference.
When a computer or smartphone connects with a website using an encrypted protocol such as HTTPS (which makes that padlock appear), the data sent from one to the other is scrambled in such a way that it can only be deciphered by the sender and the recipient—anyone listening in on the stream of data would find only an incomprehensible jumble. The devices on either end are able to parse the data because they first exchange the keys needed to unlock the encryption.
By installing this "national security certificate" Kazakhstani people, in the name of national security, are giving the authorities there the keys to crack the encryption, take a look at the transaction, and then re-lock it before allowing it to go on to its intended recipient. This undertakes that everybody plays along, as the certificate will work on Android, iOS, OS X and Windows; but it will not work on Linux. However, when the government re-locks it, it will not look right when it arrives at its final destination. This practice is named a man-in-the-middle attack, and will take place in any device that has the certificate installed; giving the Kazakhstan government access to all HTTPS traffic (including citizens’ passwords, financial details and other sensitive data and private communication – as well as enabling the government to block any sites that it wants to, by not putting them on the ‘whitelist’). This certificate will trick web browsers and other apps into trusting the telco's systems that masquerade as legit websites, such as Google.com or Facebook.com. Rather than connect directly to those sites, browsers will really be talking to potentially malicious man-in-the-middle servers. This will result internet users being unable able to say if the website they are visiting is the original or its contents have been corrupted by the government.
This practice of the Kazakh government will seriously restrict citizens' freedom of speech and expression, an example of governments working to control communication and their own population. However, this is by no means exceptional. Governments around the world have been extending censorship and surveillance of the internet for years.
In a recent example, the Turkish government tried to block access to social media sites. Furthermore, Thailand is also making an effort to roll out its own MitM implementation. China and Russia also like to control what their citizens do online. China has by far the most severe restraints on internet freedom, followed by Syria and Iran. In China, the Great Firewall stops citizens from accessing sites that the government has judged off-limit, such as Twitter, Facebook, and even Wikipedia; in January, the Chinese government updated its firewall to block several popular VPN services from being used. Russian politicians proposed banning the technology in February. And in July 2014, the Russian federal government offered the equivalent of a reward of $111,000 in a competition to find a solution for cracking Tor (the onion routing network that allows Internet users to anonymise themselves by redirecting their internet traffic through a worldwide network of relays). This method is even more efficient than a VPN for protecting yourself online.
In Europe as well, we noticed the UK government effort to roll out “porn filters” as a ruse to control internet access; and France, in the wake of the Charlie Hebdo terrorist attacks, delivered a law similar to the US Patriot Act. Western intelligence agencies looking to prevent incidents like the mid-November Paris attacks, and countries such as the United States and the United Kingdom continue to express their fears against encrypted devices and internet services, saying they obstruct their work. However, US tech companies do not seem to be willing to shift and offer governments backdoor entrance to encrypted devices for eavesdropping purposes.
By ordering people to install a “national security certificate” on their computers and smartphones, Kazakhstan will be the first country to resort to such measures; keeping in mind the style of government, it seems quite obvious that this is simply part of its censorship mechanism.
Apart from the ethical aspect, this practice, more than just a tool for surveillance and censorship, also poses a serious security risk for users in Kazakhstan. In the “end-to-end” encryption, the keys to the data are only on the devices sending and receiving. Therefore, forming “backdoor” access with a new set of keys leaves this door vulnerable to attack making it a tempting target for hackers or other governments. That means that if a hacker gains access to the internet provider’s systems—a fully possible scenario if we think about the recent breaches into high-profile American and other companies and government agencies— the attackers can gain the same extensive control over the traffic going in and out of the country.
In addition, encryption procedure includes the validation that a client certificate is in fact derived from point A when it arrives at point B. Therefore, by using the national security certificate, Kazakhstani traffic might become unable to meet the authorization standards at point B stopping the web applications that make use of client certificates from operating.
Moreover, this Kazakhstani practice, with the state-issued “national security certificate,” can lead companies such as Google, Facebook and Microsoft to blacklist the Kazakh certificate authority making extensive areas of internet content inaccessible to users inside Kazakhstan (as happened with in 2011 with DigiNotar).
As you can imagine, this project seems to be an absolute disaster. By trying to introduce infrastructure that disables encryption on foreign communications through a masquerading certificate, Kazakhstan is making a brazen attempt to increase its ability to control security over the internet in the country.
Modern browsers and services like Google and Twitter have a list of authorised certificates to connect to their services, meaning they are likely to blacklist the rogue “national security certificate”, which will lead to a significant degradation in the usability in operating systems in Kazakhstan, as users of the most popular services would be intercepted. This will lead to the death of the Kazakhstan's digital economy as Kazakhstanis’ devices will cease to work for anything other than Kazakhstan sites hosted within the country. Further details have yet to be released about the country’s plan, but if history is any guide, going through with this sort of protocol won’t end particularly happily.
Even from the perspective of the intelligence agencies, this project seems a catastrophe. The probable blacklist of the certificate’s validity by services like Google, Twitter, and many others would cause a poor internet experience for end-users in Kazakhstan Therefore, as regards eavesdropping, there will be little useful intelligence gathered; as people will not able to connect to Google, Twitter, etc.
Kazakhstan has a history of strict censorship policies; privacy-minded citizens won’t welcome the new legislation, as it provides the government with the power to monitor anyone. In Kazakhstan, this translates as monitoring opponents of the political status quo. To boot, the measure could easily produce unintended consequences. Criminals could easily steal sensitive information if they find a way to abuse the certificate. Other countries, meanwhile, could use it to spy on both Kazakhs and their own citizens.
Something similar, but not such an extreme, might have taken place with the proposed UK law calling for service providers to provide a back door to their users' communications and banning end-to-end encryption. The US government is also looking for ways to bypass encryption in the name of national security, and pour billions of dollars every year into surveillance; however, it’s not likely to deploy a system as radical as those in Kazakhstan or China. Therefore, the Kazakh experiment might be useful for the United Kingdom and other countries heading to backdoor access; as there’s a real chance that this certificate could do more damage to the government’s supporters than to opponents that had no intention of playing by any rules. In my opinion, Kazakhstan will be a glorious fireworks display to watch, unless you happen to live there. Apart from the obvious, numerous ethical issues with this sort of mandated state surveillance, the most important issue for me is that the government has underestimated the technical risks and the consequences of the adoption of this certificate. Of course all these considerations lead us to the question: How safe we are in a surveillance society?
Christoforos Papachristou is a Market Intelligence Analyst at IHS, Inc http://bit.ly/1RmwPDw