Google, Mozilla, Apple, and Microsoft said they’re joining forces to stop Kazakhstan’s government from decrypting and reading HTTPS-encrypted traffic sent between its citizens and overseas social media sites.
All four of the companies’ browsers recently received updates that block a root certificate the government has been requiring some citizens to install. The self-signed certificate caused traffic sent to and from select websites to be encrypted with a key controlled by the government. Under industry standards HTTPS keys are supposed to be private and under the control only of the site operator.
A thread on Mozilla’s bug-reporting site first reported the certificate in use on December 6. The Censored Planet website later reported that the certificate worked against dozens of Web services that mostly belonged to Google, Facebook, and Twitter. Censored Planet identified the sites affected as:
google.com
youtube.com
facebook.com
vk.com
instagram.com
twitter.com
mail.ru
allo.google.com
android.com
cdninstagram.com
dns.google.com
docs.google.com
encrypted.google.com
goo.gl
mail.google.com
messages.android.com
messenger.com
news.google.com
ok.ru
picasa.google.com
plus.google.com
sites.google.com
tamtam.chat
translate.google.com
video.google.com
vk.me
www.youtube.com
www.messenger.com
www.google.com
www.facebook.com
www.instagram.com
groups.google.com
hangouts.google.com
Instead of sending traffic that could only be decrypted by the website and the individual end user, computers that had the certificate installed used a key that the Kazakhstan government could also use to decrypt the data in transit.
This is at least the second time Kazakhstan’s government has required some of its citizens install the certificate, with the last time being in August 2019. The major browser makers blocked that overture as well.
Censored Planet said the percentage of hosts inside Kazakhstan experiencing the interception was about 11.5 percent, up from 7 percent last year.
“Аrstechnica.com”
Dan Goodin
12.19.20