How can Kazakhstan perform MITM attacks on all HTTPS traffic?

Question

There is now MITM on HTTPS traffic in Kazakhstan.

But for MITM to work, other than installing the certificate, there has to be someone proxying the request, right? Will that role be played by the ISPs?

Say I want to connect to Facebook. Does the proxy spoof Facebook's certificate? How does that work?

Accessing Facebook under the MITM scheme and looking at the certificates from the browser, would the MITM certificate be visible?

Answer 1

How does that work?

They seem use an In-the-middle SSL Bump proxy.

• First, it works as a transparent proxy, meaning it will silently redirect all HTTPS traffic to SSL Bump proxy servers.
• You have to install and accept the proxy's Certificate Authority cert to make this work.
• Once done, each SSL connection is made from your host to the SSL Bump Proxy with an on-the-fly generated certificate reproducing real certificate properties. Have a look at (And care about certificate issuer and start of validity timestamp)
• Then, the proxy pretends to be the targeted website (Facebook) to receive your request,
• it reproduces your request (pretending to be yourself) to the real website
• It receives an answer from the real website.
• Now, the proxy is able to store the request and/or answer if built to do so.
• Then it forwards the answer to your browser.

Will that role be played by the ISPs?

Probably yes, but it could be located anywhere before the traffic leaves the country.

Would the MITM certificate be visible?

Yes, as these certificate are mostly generated on-the-fly, have a look at the "Validity Not before" (in this case approx 1 day before the request) and "Certificate Issuer" (in this case: No data instead of DigiCert Inc).

To check this, go to different websites and check each cert. If you always see the same Issuer, and for each site you reach you always see a Not before with the same interval from your 1st request...

Take some references: Google's issuer is Google Trust Services, Facebook uses DigiCert Inc and so on... Take your own references.

For a website you know well (ie you know if and when the SSL cert could be updated), you could use fingerprints to verify certificates.

What to do

Go to your browser's config/preference -> security -> show/manage SSL certificates and delete/drop/untrust unwanted certificates (in this case, search for No data or KZ).

Of course, once this is deleted, you will not be able to reach the internet through this network!

You may try to use some VPN (public or private), but I don't know how other connections than HTTP(s) are treated. Even VPN over HTTP(s) may work until official proxies sysadmin will see your encrypted stream...

You could connect to the Internet in alternative ways (satellite, radio frequencies, private wires...).

Use alternative hardware and be careful about your activities while you're connected to this network.

About picture:

This picture was found at https://bugzilla.mozilla.org/show_bug.cgi?id=1567114 and edited to underline

• In blue: At top, date of picture, I suppose near the connection and screenshot. On the right, the Not before which seems to exist just 24 hours before the screenshot. (I assume the whole picture was done some minutes after the last cert screenshot, which was done some seconds after the connection, but I'm not sure.)
• In orange: the certificate issuer - on the left side, the real issuer and on the right side, there is No data which is more than suspect!
• In red: this mark was already present before my edit - you could see KZ instead of US, but this field could be faked too!

So ensuring the same Certificate Authority is not used on radically different domains is a good indication. (IE: If you see the same issuer when reaching Microsoft, as Google or Facebook, then there is something wrong!)