[ad_1]
Against the background from China, Russia and Iran trying to sequester their own private national internet, other countries like Kazakhstan have experimented with similar balkanization and Internet control initiatives. Kazakhstan first tested a surveillance system in 2015 providing access to all web traffic in the country, even to encrypted data. After fierce debates and legal obstacles over the years, the government has been testing this draconian screening system in July. Now, Google, Mozilla and Apple integrate technical protection with their browsers Chrome, Firefox and Safari to defend themselves.
Today, the three companies announce new defenses blocking the mechanism of interception of traffic of the Government of Kazakhstan. When browsers detect that this monitoring has been enabled, they block the connection and display a warning. Users will not be able to ignore this warning, even if they wish.
The Kazakh government has been the subject of intense criticism and the situation continues to evolve. On August 6, about three weeks after the government launched its mass surveillance initiative, officials said the program, which was only testing the potential impact on users, was suspended. The researchers say that, in practice, surveillance only targeted certain popular sites for a relatively small group of Internet users. But the government has the ability to launch a much larger campaign if it wishes in the future.
"The security test of the program against cybercrime has demonstrated a high level of technical capacity," said Kazakh President Kassym-Jomart Tokayev tweeted (translated by Google Translate and Reuters). "The most important thing is that there is no inconvenience for Internet users in Kazakhstan. There is no reason to be worried."
Lily Hay Newman discusses information security, digital privacy and hacking for WIRED.
For Google, Mozilla and Apple, as well as organizations for data privacy and the freedom of the Internet, the concerns are both major and permanent. Encrypted Web traffic – these HTTPS connections indicated by a green padlock – uses special "certificates" to determine that web servers are not false. However, the Government of Kazakhstan has asked ISPs to distribute full access root certificates to all their users and ask them to install digital certificates on their devices and browsers if they wish to access Internet. The researchers then observed that the government was using this master key to monitor encrypted data sent to and from dozens of well-known social media communication services and platforms, such as Facebook, Google, and Twitter.
"We believe that people's security and privacy are fundamental and can not be treated as optional online," said Marshall Erwin, senior director of trust and security at Mozilla, in a statement. "This certificate represents a significant threat to our users, which is why we take steps to protect them."
On Wednesday, an Apple spokesman said: "We have taken steps to ensure that the certificate is not approved by Safari and our users are protected from this problem."
Similarly, Google claims to have completely blocked Kazakh invasive certificates, issued by a so-called certification authority called Qaznet trusted network. "Chrome will block the certificate that the government of Kazakhstan has asked users to install," wrote Andrew Whalley, a member of the Chrome security team, in a blog shared with WIRED. "In addition, the certificate will be added to a blocking list in the Chromium source code and should therefore be included in other Chromium-based browsers in a timely manner."
According to Google and Mozilla, this impact on other Chromium-based browsers is important, even though the government of Kazakhstan claims to have suspended its mass surveillance for the time being. Given the long-standing commitment of the government to put in place some sort of root certificate-based traffic monitoring, it is quite possible that the government will eventually resume the activity. If this is the case, Google, Mozilla and Apple will have the infrastructure to respond and add more certificates to their blocking list, if necessary.
"Even though the government's test is apparently over, the mechanism that it can use to spy on web traffic is still in place," says Erwin of Mozilla. "And some users may still have this malicious certificate installed." Essentially, these users are still vulnerable, even if the attack is not in progress, so we do not expect the vulnerability to be exploited again. to fix it. "
The pro-democracy group Freedom House has described the Internet as "not free" in a "Freedom on the Net" report of 2018. In addition to concerns about mass surveillance, the group has also cited repeated incidents of Internet censorship in which the Kazakh government blocked access to communications, social media and news services for hours during political speeches, protests and demonstrations. other controversial national events. .
Adrian Shahbaz, research director for Freedom House's Technology and Democracy Program, says Kazakhstan may have stepped down on its project of implementing certificate-based surveillance for the time being as the country is in a politically difficult time. Nursultan Nazarbayev, Kazakhstan's long-time authoritarian ruler, transferred power to incumbent President Kassym-Jomart Tokayev in an election in which Tokayev won 70.7 percent of the vote. But Shahbaz also notes that the Kazakh government has already set up a vast digital monitoring and surveillance apparatus, including Russian spy tools and invasive relationships with Internet service providers, and that it is probably in a hurry to put in place an additional mechanism.
"They have all kinds of information checks already in place, especially before the elections to make sure everything is going well," Shahbaz said. "So, I think that the Kazakh authorities have seen the backlash of this initiative and they could have thought:" Better to drop this case before the situation becomes too exacerbated. "Because it's a politically sensitive moment for the new government."
Google and Mozilla say that Internet users in Kazakhstan should become familiar with tools that mask or anonymize their Internet connections, such as VPNs and Tor. And they encourage all those who have installed the root certificate of the Government of Kazakhstan to remove it so that they do not leave behind a back door to their Internet traffic concealed on their devices. But if users encounter compromised connections, at least Firefox, Chrome and Safari will now issue a warning and stop monitoring.
August 21, 2019 7:50 AM ET: This message has been updated to reflect the fact that Apple has also added Safari protections.
More great cable stories
[ad_2]
Source link