On the morning of 6 December 2020, residents in Kazakhstan’s capital Nur-Sultan received a message from their government politely requesting permission to hack their internet connection.
“To keep access to some foreign internet resources, we ask you to install a certificate on all your devices,” the message read, before providing a link to download the file onto their device. The Kazakh government later described this certificate as a trivial measure that would allow users to participate in a national cybersecurity exercise.
Within a few hours, the news had reached the desk of Eric Rescorla, chief technology officer for the Firefox browser. His heart immediately sank. It was clear that the file in question was a root certificate similar to one that the Kazakh government had attempted to enrol onto Mozilla’s CA Certificate Program in 2015 and, when that failed, foisted onto citizens in Nur-Sultan four years later. When downloaded, the file allowed the authorities to decrypt and divert all internet traffic passing through a user’s browser – a so-called ‘man in the middle’ attack.
Firefox-maker Mozilla – alongside other browser providers including Apple, Google and Microsoft – had banned the first iteration of the root certificate. By 19 December, they did the same for its successor. “We’re sad that they keep trying to do this,” says Rescorla. “I think we’ve been very fortunate that we did such a thorough job last time.”
In Kazakhstan, the effect was instantaneous. “That decision made [the certificate] almost unusable,” says Talgat Nurlybayev, an associate professor at the International IT University in Almaty, the country’s second city. News of the ban spread rapidly among Kazakh media outlets.
It came at a decidedly delicate political moment for the country, Nurlybayev explains. “Kazakhstan is in transition,” he says, caught between the authoritarian impulses of the country’s still-influential former president, Nursultan Nazarbayev, and the liberalising policies of Kassym Tokayev, who succeed Nazarbayev in 2019. Whether the Kazakh government will continue to interfere with its citizens’ web browsing depends, he says, “on which trend will win”.
Beyond Kazakhstan, the incident presents a dangerous precedent. It forced Western browser makers to become the privacy gatekeepers for millions of people. And it illustrates the growing pressure on the tech giants to take sides in a widening, digital divide between the Western democratic model and a system where free political expression comes at the cost of a prison sentence, or worse.
Between liberty and authoritarianism
On the surface, Kazakhstan seems like a surprising venue in which to define the future of internet censorship. Despite its association with Sacha Baron Cohen’s comedy character Borat, the country has worked hard to build a reputation as an island of economic prosperity and stability in Central Asia. Its government engages enthusiastically with international organisations and has made several public commitments to economic openness and the protection of human rights.
The reality is more nuanced. Since its independence from the Soviet Union in 1990, Kazakhstan has been under the effective control of former Communist Party apparatchik Nursultan Nazarbayev. While economic controls have significantly relaxed under his rule, almost all mass media and the telecommunications infrastructure are controlled by the state. National elections are frequently criticised as rigged, and freedom of speech remains restricted – conditions that are belied, says Freedom House analyst Noah Buyon, by the outward vibrancy of the country’s internet landscape.
“By and large, social media is now unblocked in Kazakhstan,” explains Buyon. Users also enjoy “access to ample domestic and mobile international news and entertainment resources,” allowing for a degree of free expression online that Kazakh citizens have grown to value in recent years. This is partly a symptom of the internet’s early development in Kazakhstan, underpinned by state-owned telecommunications infrastructure but largely powered by software originating in the West.
However, these online freedoms do not extend to political discourse. The government began to block sites that it viewed as platforms for dissent in 2008, when it banned blogging network LiveJournal after Nazarbayev’s son-in-law used it to accuse him of corruption. Since then, it has imprisoned opposition bloggers, temporarily blocked social media and even inflicted internet outages, most notably during the 2019 presidential election.
Hopes for a more liberal Kazakh internet policy now rest with Tokayev. Although it is widely assumed that Nazarbayev continues to hold ultimate power in the country, Tokayev’s accession was portrayed by the authorities as a time to reassess internet censorship. “The pattern of social media platforms being blocked seemed to abate for a bit,” explains Buyon. Websites such as Soundcloud and Medium, blocked for ostensibly hosting ‘extremist’ content, were allowed back online.
The government has nevertheless persisted in pushing what it calls the ‘National Certificate of Security’. “The root certificate is part of Kazakhstan’s national Cyber Shield programme designed to prevent foreign cyberattacks on critical infrastructure as well as counter overseas disinformation campaigns aimed to incite racial, ethnic, social, and religious hatred in Kazakhstan,” the country’s Ministry of Digital Development, Innovations and Aerospace Industry said in a statement to Tech Monitor. Installing the certificate is voluntary, the Ministry added, and its use by the government was confined to a single cybersecurity exercise held on 6 December in Nur-Sultan.
But there is little to suggest that the software protects against cyberattacks. In fact, the root certificate allows the Kazakh state to bypass Hypertext Transfer Protocol Secure (HTTPS) encryption between the host device and select websites, mostly social media and news sites. This so-called ‘man in the middle’ attack bypasses protocols that prevent a third party intercepting data exchanged between a website and its users.
“The modern network protocols we have… are built around the notion of trust to certain entities,” explains Leonid Evdokimov, a cybersecurity researcher and the affiliate of a team at the University of Michigan that uncovered the precise dimensions of the 2019 man-in-the-middle attack. It is underpinned by HTTPS, a communications protocol that encrypts internet traffic and prevents third parties from reading or changing it while in transit. In this system, servers vouch for themselves by presenting certificates signed by Certificate Authorities, which “provide the chain of trust that the entity you’re communicating with, [such as] ‘teams.microsoft.com’, is actually the real ‘teams’”.
Browsers maintain a running list of the Certificate Authorities they trust to provide these means of identification for websites. In 2015, the Kazakh government attempted to apply to be included as one in Mozilla’s root CA store. Fears that its enrolment would allow it to extend its surveillance of the population, however, led to the company refusing the request.
“I do want to just emphasise just how impactful and dangerous it can be to have a root certificate installed in someone’s machine,” says Dave Levin, a cybersecurity researcher at the University of Maryland. “When you do that, you can start to impersonate anybody. And then you can start to not just listen in and eavesdrop, you can start manipulating [traffic].”
I do want to just emphasise just how impactful and dangerous it can be to have a root certificate installed in someone’s machine.
Dave Levin, cybersecurity researcher, University of Maryland
This could include redirecting user traffic away from certain sites banned under a censorship mandate or fraudulently diverting payments intended for one bank account to another. And if an attacker chooses to do this, it can be extremely hard for the victim’s machine to detect it.
Limited impact
The security community’s response prompted the Internet Society of Kazakhstan to issue a statement criticising the roll-out of the root certificate. Perhaps unsurprisingly, chapter president Nurlybayev never downloaded the certificate – and neither has anyone within his circle of friends. “I heard about the people who installed the certificate, but I do not know them personally,” he says.
This might reflect the digital literacy of Kazakhs, the majority of whom are now online via their smartphones. The attacks in 2019 and last year were also small, according to an analysis conducted by Censored Planet, an internet censorship group run by the University of Michigan. According to its report on the 2019 incident, the attack was entirely confined to the capital and affected approximately 7% of all servers holding valid browser-trusted certificates and around 30,000 domains of mostly social media and communication sites. The attack in 2020, meanwhile, saw that percentage rise to 11.5%.
One reason why the attack wasn’t more ambitious may be that a national internet censorship system has the potential to create a cybersecurity threat. Evdokimov points to an incident in Egypt, where the censorship system was unintentionally distributing ad-injection malware to anyone attempting to access pornographic websites.
Another reason may also be that certain government insiders might be resisting the censorship regime. Evdokimov’s analysis of Kazakh web blocking apparatus revealed “some really strange technical decisions in some places” that impaired the security of the system.
Whatever its scale, the man-in-the-middle attack perpetrated by the Kazakh government has set a dangerous precedent for other authoritarian regimes, according to Mozilla’s chief security officer, Marshall Erwin. “One concern that I have [is] not necessarily that this will be a route that the Kazakh government chooses to go down again, but rather that we might see a general interest in [this being] pursued elsewhere,” says Erwin.
One concern that I have is that we might see a general interest in [this being] pursued elsewhere.
Marshall Erwin, chief security officer, Mozilla
This process has already begun. In 2019, Mozilla rejected an application by a company called DarkMatter to enrol in its certificate programme, citing reports that linked DarkMatter to a hacking group backed by the UAE government.
“There was a very loud, aggressive public discussion on our mailing lists about whether this was the type of entity that we wanted to allow into that programme,” Erwin says. “It was independent of the other browser makers, although when they saw the ultimate decision that we made to deny the DarkMatter request, I think they were strongly inclined to follow our lead.”
Would the browser providers adopt the same stance in countries with more potential users? Mozilla would, Erwin says, but it wouldn’t be an easy decision. “If Mozilla… were to be offering our product in a country with a much larger user base, where the potential implications of our efforts to block some surveillance activity are larger, is a harder question,” he says.
In the meantime, there are defences against such attacks. “Some applications will do what’s called ‘certificate pinning’,” says Levin, wherein a mobile app or website uses a special cryptographic key to identify itself. The rarity of this feature, however, means that its effectiveness against man-in-the-middle attacks is largely untested. “It’s… totally unclear what happens when that key gets compromised,” says Levin. Users could also be fooled into downloading an unsecured clone of an app.
Another potential defence is a program that Levin co-wrote with his colleague Kevin Bock. Last year, the two researchers released the code for a specially adapted genetic algorithm named ‘Geneva’ that learns ways to fool internet censorship regimes by manipulating data packets. While not designed to explicitly defend against the kind of man-in-the-middle attack perpetrated by the Kazakh government, during tests it successfully fooled the country’s censorship regime within minutes. It is unknown whether the machine learning algorithm has yet been adopted by any enterprising software engineers in Iran, China or Kazakhstan.
In the meantime, the privacy of users living under authoritarian regimes is still being attacked, and what little room for public discourse reduced to preserve the political authority of the state. As these governments turn towards manipulating the basic architecture of encryption to achieve this goal, it will remain up to Western browser providers to remain united in their resistance to these measures.