8

Kazakhstan has forced all users in its territory to install a state-issued SSL root CA certificate "aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats."1

The consequences is pretty straightforward: Anyone who controls the root CA knows everything you send through HTTPS, including your login passwords (provided the website relies on TLS-encrypted connections), your submitted forms and your credit cards.

In this case, is it still possible to send anything to a website, without any 3rd-party being able to intercept the connection and any data transmitted? Is there any way to avoid this MITM, or mitigate its impact?

iBug
  • 1,378
  • 1
  • 10
  • 12
  • 1
    Not an exact duplicate but you may be interested in this: https://security.stackexchange.com/q/194353/149676 – Conor Mancone Jul 19 '19 at 16:34
  • In general it depends greatly on how they do it, but in all likelihood it's a losing battle. To not allow them to sniff everything you would have to use a device/browser that doesn't have the root certificate installed. That's actually quite easy, with a hundred different methods that allow you to easily circumvent the root certificate. However, they could just as easily block any and all https traffic that doesn't funnel through their systems. In that case you can't do anything, except hope to find a proxy that isn't blocked. – Conor Mancone Jul 19 '19 at 16:38
  • Firefox will warn you every time you turn it on that you are possibly a victim of MITM attack. – MrSnowMan Jul 19 '19 at 17:06
  • You can still encrypt data, but it will have to be in addition to the encryption done by HTTPS. Chances are very, very likely that it would be noticed and you'd have someone knocking on your door asking you what's up. In addition, it's always possible to do steganography in such a scenario, e.g. maybe encode something in what appears to be a JWT token, but that would take technical sophistication well beyond the average user. – Swashbuckler Jul 19 '19 at 17:44
  • 1
    How are they enforcing this? – Andrew Jul 22 '19 at 08:37

6 Answers6

1

There are a few options that you may have available:

  1. You can check to see which sites have been potentially MITM'd by checking the cert tree for each site you visit. Click the lock icon, view the cert, then look at the issuing certs until you get to the root. If the root is the state root that you installed, then they very well could be monitoring any of the data you sent as if it is HTTP instead of HTTPS. This at least gives you some insight into the situation.
  2. Put some trust in some of the sites you visit. Not all sites send password information in plain text, so the fact that the state can see that data doesn't necessarily mean that they have your password. This can be done using JavaScript client code that can do DH, and also hash passwords (among other methods). Not the most satisfying point to make, but it's something.
  3. Use a VPN. While using the VPN, you can use a browser that doesn't have the root certs in question, so you will get a giant warning if you happen to encounter a site that has been MITM'd by them or anyone else. Of course, if they are doing more than HTTPS filtering, they may be attempting to block VPNs. This may also raise a red flag and make it obvious that you are working around their monitoring.
  4. Use TOR. TOR effectively hides your traffic like a VPN does, but it can be a little stealthier about it and make it less obvious that you are trying to work around the state monitoring. There's a constant give and take between states that try to block or identify TOR traffic and the TOR developers. If your country isn't working as hard as another, then you likely get the most benefit.
  5. Use a service like Amazon Workspaces, in which you make use of a remote desktop running in a cloud in another country. You are sending keyboard and mouse info, and you get back display and sound. These services often use their own protocols (like PCoIP in the case of Workspaces) which are often encrypted and don't look like traditional web traffic.

Bottom line: if your government wants to see what you're doing online and have demonstrated a willingness to use technology to do that, then they are likely going to adapt and evolve the technologies they use to enforce their desire. For you to evade them, you will have to be willing to adapt and evolve just a little faster. You must also be willing to take the chance that you may be caught, and face whatever actions are associated with that. I'm not suggesting that you do anything--just listing a few options that you could choose... or not. There are many options I didn't list, and many new ones are being created all the time. Good luck, and stay safe!

Lampshade
  • 398
  • 3
  • 4
0

I think the best option is tunneling your HTTPS traffic to a device that resides outside of Kazakhstan using an application that pins certificates. You would need a way to obtain the certificate of the device, this could be done by

  1. you leaving the country, allowing you to use devices out of the reach of the government
  2. getting help from a non-kazakh citizen that delivers certificate information to you in a secure manner (e.g. by writing down its fingerprint and physically giving it to you or using secure messengers such as WhatsApp or Signal)
D.O.
  • 600
  • 3
  • 9
0

What is the sense of certificates?
It is to enable trust. Imagine you're surfing the website example.com. You trust in the fact that https://example.com is the identity that it claims to be, and that your communication with that server is safe from wiretapping. The CA chosen by example.com to sign their certificate signing request is usually (ideally?) a highly trusted organization that built their reputation over years, so that they made it into the out-of-the-box CA list of the browsers.
When a party creates their own certificate for example.com, and signs it with their own CA in order to be man in the middle then this is a malicious act (especially when this is by force and especially when it's a state), because they erode the trust that a certificate authority should responsibly respect and they're undermining the civil liberties of the people that they represent.
Usually these kinds of governments are called totalitarian regimes. See https://en.wikipedia.org/wiki/Human_rights_in_Kazakhstan

What can you do in technical terms?
- use an open socks proxy (NordVPN and similar; connect to it through SSH, and then configure your browser to use that proxy. )
- use a TOR browser with a TOR proxy to connect to the web

lab9
  • 494
  • 2
  • 7
0

There is some likelihood that commercial VPN providers or TOR nodes are blocked. At least you'd risk increased scrutiny.

One simple approach would be:

  • get some cheap VPS outside of Kazakhstan
  • connect with ssh's -D parameter: ssh -D 127.1.2.3:8022 ssh.example.com
  • configure your browser to use 127.1.2.3:8022 as a SOCKS proxy

This approach has the advantage that you're not using a well-known VPN provider. Instead you're using a small and cheap server which is only used by yourself. This increases your chances of staying under the radar.

Further, you're not having to configure anything complicated on the ssh server. So, in case that it ever gets blocked by Kazakh ISPs/gov, you can simply drop it, get a new one and be up and running again within minutes.

toe
  • 1
-1

“Anyone who controls the root CA knows everything you send through HTTPS, including your login passwords.”

This is not true.

First, note that what you are saying implies that Verisign (for example) can read your login passwords, credit card details, etc. That is quite obviously not the case.

If you trust me as a root CA, that means that your browser will trust any certificate signed by me.

Let us suppose that I am intercepting every packet sent to and from your browser, and you visit https://google.com.

  1. If your browser receives a certificate signed by the usual root CA used by Google - or by any root CA other than me - then your communications are totally secure. I cannot read or alter anything.

  2. If your browser receives a “google.com” certificate signed by me, then and only then, it is possible for me to read your transmissions and even alter them if I want.

Your browser will tell you which root CA is being used if you ask it (at least, desktop browsers will). So you will be able to know, whenever you want, whether 1 or 2 is the case.

To summarize: installation is not use. Installing a root CA does not make anything interceptable. Only using a certificate signed by that CA makes your security dependent on that CA’s policies. And (with appropriate browser support) you can always know when you are being intercepted.

Martin Kochanski
  • 160
  • 4
  • 7
    While technically true, I don't think this answer is very helpful. Yes, you have to have install a root cert and be a MitM to read all traffic, so the quote from the OP is technically incorrect. However, the state has announced its desire to monitor all traffic, it has its own cert so that it can intercept all traffic, and it has ordered all ISPs to require the cert for everyone, force them to install it, and then to monitor all traffic. So while it's true that the cert's presence is not an issue if unused, **I think it's safe to assume that it will be used in this case** – Conor Mancone Jul 22 '19 at 14:22
-5

First: if the state requires everyone to have a state-controlled root certificate installed, and it's a law, then being a good citizen requires following the law.

Second: The question you're asking becomes a question of legality. This is not something that can be reasonably answered with technology, because the laws of an area govern the technology that can or can't be used.

These both being the case, I agree that technological solutions are only going to cause trouble for you, because clearly the government believes that nobody would ever be able to breach their security and steal the very information they're claiming to protect. While governmental breaches happen on a more-or-less daily basis (chiefly, because policy-makers don't actually ask computer experts to explain how things work and understand why they must necessarily work that way), their intent to snoop is obvious, but ultimately will become self-defeating.

The answer, therefore, is to be a good citizen, and patiently obey the law, until such time as the security breaches make it clear that the government can't handle being the only CA for the entire country.

JediGanesh
  • 3
  • 5
  • 1
    I have a few doubts. Such law would definitely breach the constitution of any modern state (as every constitution at some extent assures privacy of personal life) + it is against common sense. Governments should not put their noses in your data or we very fast will appear in George Orwell’s 1984. Also, if tomorrow there will be a law that every citizen should have the same Facebook/Google/whatsoever password, will you change it? – MrSnowMan Jul 20 '19 at 04:23
  • While I don't disagree with you on any particular point, most governments in the past few years have seemingly justified ways around privacy for the sake of pursuing their own interests, and so my answer remains as it is. We can't idealize the situation, but must accept things as they are, in order to answer this. Orwell's story isn't the case yet, but it's closer today than even one decade ago. – JediGanesh Jul 22 '19 at 18:19
  • 1
    You actually do not have to accept things as they are. You only have to accept consequences of your actions. Arguably, your whole standpoint is very questionable and your arguments come mostly from authority: Entity X has authority, so you have to follow that authority, whether you like that or not. – D.O. Dec 18 '19 at 14:34