Closed Bug 1229827 Opened 9 years ago Closed 8 years ago

Kazakhstan to MITM all HTTPS traffic

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: phr-mozilla, Assigned: kathleen.a.wilson)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20151029151421

Steps to reproduce:

Raising issue described here: http://telecom.kz/en/news/view/18729


Actual results:

The measure is not yet in force but the Kazakhstan government has announced plans to require all KZ internet users to install a special "national security certificate" in their browsers, so that KZ Telecom can MITM the traffic.  This also affects browsers and software other than Firefox.


Expected results:

Not sure.  One idea is add some kind of patch that prevents Firefox from accepting the certificate, or otherwise respond to the MITM.  Another is to do nothing.  In any case the developers should be aware of this.  Not a Firefox bug per se, but I'm not sure where else to put this.  The RFE category seems to be gone?
Forgot to add-- I saw this through a HN discussion: https://news.ycombinator.com/item?id=10663843
Assignee: nobody → kwilson
Component: Untriaged → CA Certificates
Product: Firefox → mozilla.org
Version: 42 Branch → other
Blocks: 1232689
gerv/kwilson: is there anything we can (want to) do about this, perhaps in conjunction with other browsers?
Flags: needinfo?(kwilson)
Flags: needinfo?(gerv)
I think this certificate and any feature attempts to do so (with new certificates)should be banned, by adding this certificates to internal browser ban list.
My understanding is that they backed away from this approach; can anyone provide confirmation one way or another?

Gerv
Flags: needinfo?(gerv)
Kazakhstan ISP provider and mobile network providers (Beeline Kazakhstan) still actively pushing this.

Official post from one of major Kazakhstan mobile network provider (liks to certificate disabled):
https://www.beeline.kz/ru/mobile_help/sertificatofsecurity
They have removed page about this ROOT CA for MitM atacks (after I submit bug reports to Mizilla and Google):
http://telecom.kz/certificate

Looks like the are trying to hide this issue from world.

But it still available in Google cache:
http://webcache.googleusercontent.com/search?q=cache:ezbYk9XPY5kJ:telecom.kz/certificate+&cd=1&hl=ru&ct=clnk

Moreover I have found they asking Mozilla to add this ROOT certificate as trusted to new browser builds.
So they will be able do MitM atacks more easily, no need to ask users add this CA manually.
(In reply to Gervase Markham [:gerv] from comment #5)
> My understanding is that they backed away from this approach; can anyone
> provide confirmation one way or another?
> 
> Gerv

The dupe (bug 1281265) listed telekom.kz/certificate , which when I looked at it yesterday still seemed to confirm it. I kid you not, today it is a 404 (but it has a cat! :-) ). Here's the wayback machine's copy, also from yesterday (which is a bit uncanny...): http://web.archive.org/web/20160621170834/http://telecom.kz/certificate . Chucking that through google translate was what I based the needinfo on. I just tried, and I can't find any plausible denial/confirmation of what's going on (which might be my non-existent Russian/Kazakh skills, but there we are).
(In reply to :Gijs Kruitbosch from comment #8)
> (In reply to Gervase Markham [:gerv] from comment #5)
> > My understanding is that they backed away from this approach; can anyone
> > provide confirmation one way or another?
> > 
> > Gerv
> 
> The dupe (bug 1281265) listed telekom.kz/certificate , which when I looked
> at it yesterday still seemed to confirm it. I kid you not, today it is a 404
> (but it has a cat! :-) ). Here's the wayback machine's copy, also from
> yesterday (which is a bit uncanny...):
> http://web.archive.org/web/20160621170834/http://telecom.kz/certificate .
> Chucking that through google translate was what I based the needinfo on. I
> just tried, and I can't find any plausible denial/confirmation of what's
> going on (which might be my non-existent Russian/Kazakh skills, but there we
> are).

For me looks like they removed this official publication from major ISP site after I actively post this issue to several bug trackers. Probably it also related to some post's about this issue in Internet (which is in russian mostly).
clearing my needinfo on this bug. I don't think there is any action for Mozilla to take on this, other than to not move forward with Bug #1232689.
Flags: needinfo?(kwilson)
This bug doesn't request any specific action; resolving.

Gerv
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.