Skip to content
Thoughtful, detailed coverage of everything Apple for 29 years
and the TidBITS Content Network for Apple professionals

Image by Pete Linforth from Pixabay

6 comments

Apple, Google, and Mozilla Team Up to Block Kazakhstani Surveillance

Last month, the government of Kazakhstan started intercepting all encrypted HTTPS Internet traffic by mandating the use of a government-issued certificate in all Web browsers and Internet-savvy devices inside the country. ISPs enforced the order by blocking Internet traffic if the certificate was missing. The program was halted earlier this month, with the government calling it a “test.”

Regardless, Apple, Google, and Mozilla have all now implemented countermeasures in their respective browsers to block the certificate and prevent future spying by the Kazakhstan government. Microsoft said that the Kazakhstani government was not in the company’s Trusted Root program, suggesting that it too was, in‌ ‌essence, locking the certificate.

On the one hand, kudos to Apple, Google, Microsoft, and Mozilla for preventing their apps from being weaponized and supporting their users’ right to privacy, something Apple has said it believes is a fundamental human right. On the other hand, this move highlights the increasing tension between corporations and governments now that companies have grown large and powerful enough to defy the wishes of governments with whose policies they disagree (and whose markets are small enough to risk). Expect to see more along these lines.

Read original article

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For 29 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

Comments About Apple, Google, and Mozilla Team Up to Block Kazakhstani Surveillance

Notable Replies

  1. Are we watching the next form of government evolving? We’ve tried tribal, religious, national. Now corporate? They have all been covered by SciFi authors. :slight_smile:

  2. Yeah, it really does feel like we’re entering a sci-fi novel in some ways.

  3. I had an interesting experience a few years ago in a country that shall remain nameless, but is geopolitically close to Kazakhstan.

    We were using OpenDNS for all our upstream resolution. One day the staff complained to me that the internet wasn’t working. I quickly discovered that the ISP had blocked OpenDNS. We took the matter up with them and was told that they had received a higher ruling that all DNS resolution had to be in country and we must switch to using their DNS servers. Does this smell like a desire to poison caches? We subsequently set up dnscrypt to access OpenDNS over port 443. It lasted a few months, but eventually they sniffed that out and blocked all access to OpenDNS’s IP addresses.

    Some time later I was talking with an ex-pat from another firm. He was having trouble with Gmail. Sometimes Chrome would refuse to connect to his Gmail account, but he would have no trouble connecting right away with Firefox or IE. Chrome performs certificate pinning and will block anything but the correct Google certificates. So this pretty much confirmed that the government of that country had the ability to generate SSL certificates that Firefox and IE would trust.

    Surely the SSL certificate system is fundamentally flawed when these corporations get to decide which governments have access to trusted root certificates.

  4. Oh, that’s fascinating. I wonder how Safari would work in such a situation?

  5. It depends on what root certificates Apple has included. @epi’s Gmail example is fundamentally the same as the Kazakhstan story, Safari probably had the same root certificates as the other browsers. Heck, Chrome probably had the certificate as well but since Google makes both Chrome and Gmail, Chrome didn’t have to trust its store of root certificates (which can include certificates that enable such spoofing), for Gmail it only trusts the exact certificate Chrome expects for that site.

    Certificate pinning was a fad for a while but it doesn’t scale; it can still be worth doing by those who control the browser and have critical servers (e.g. Apple could use certificate pinning to make sure Safari only visits a site like iCloud.com).

    Safari uses the OS’s store of root certificates found in Keychain Access.app under System Roots. As far as I know, other browsers on macOS don’t use the System Roots, they maintain their own within the browser application; you can see Firefox’s by going to Preferences > Privacy & Security, and clicking the View Certificates button to open the Certificate Manager. Firefox root certificate lists are also published on the web.

    On iOS, I don’t know if 3rd party browsers maintain their own root certificate stores or if they have to use the iOS root certificates just as they have to use Apple’s WebKit rendering. I think any app can use certificate pinning to prevent rogue certificate authorities spoofing the servers those apps connect to.

  6. While I don’t agree with what Kazakhstan was trying to do, I do find it a bit tough and ironic that they are being punished for trying somewhat transparently to do what perhaps half the governments of the world (and many major businesses) can already non-transparently accomplish. And it is the complicity of those corporations who have now punished Kazakhstan who allow those other governments to do this.

    Who is it really who determines what certificates are in the trust stores of our browsers and systems? They are deciding for me who I have to trust, and it is anything but transparent. I know I can alter the trust settings on my Mac in Keychain Access. And I have on occasion done this. But trying to find out who the CAs are behind these certificates are and why they are necessary is impossible. And on iOS it is totally impossible to even look at the list of certificates, let alone alter the trust settings.

    I like the idea of certificate pinning and really wish there was a Safari plugin that would keep a database of certificates I have seen and tell me when the certificate has changed. This would be especially valuable for online banking and other payment sites. I run a manual system of checking the SHA signatures of the certificates before each login. I would not be at all surprised to find that Safari is pinning the certificates for iCloud, but then again, it’s not that long ago that Safari was in the wild with a bug that prevented it from checking certificates at all.

Join the discussion in the TidBITS Discourse forum

Participants