Kazakhstan to MITM all HTTPS traffic

RESOLVED INCOMPLETE

Status

task
RESOLVED INCOMPLETE
4 years ago
2 years ago

People

(Reporter: phr-mozilla, Assigned: kwilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Reporter

Description

4 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20151029151421

Steps to reproduce:

Raising issue described here: http://telecom.kz/en/news/view/18729


Actual results:

The measure is not yet in force but the Kazakhstan government has announced plans to require all KZ internet users to install a special "national security certificate" in their browsers, so that KZ Telecom can MITM the traffic.  This also affects browsers and software other than Firefox.


Expected results:

Not sure.  One idea is add some kind of patch that prevents Firefox from accepting the certificate, or otherwise respond to the MITM.  Another is to do nothing.  In any case the developers should be aware of this.  Not a Firefox bug per se, but I'm not sure where else to put this.  The RFE category seems to be gone?
Reporter

Comment 1

4 years ago
Forgot to add-- I saw this through a HN discussion: https://news.ycombinator.com/item?id=10663843

Updated

4 years ago
Assignee: nobody → kwilson
Component: Untriaged → CA Certificates
Product: Firefox → mozilla.org
Version: 42 Branch → other
Assignee

Updated

3 years ago
Blocks: 1232689

Updated

3 years ago
Duplicate of this bug: 1281265

Comment 3

3 years ago
gerv/kwilson: is there anything we can (want to) do about this, perhaps in conjunction with other browsers?
Flags: needinfo?(kwilson)
Flags: needinfo?(gerv)

Comment 4

3 years ago
I think this certificate and any feature attempts to do so (with new certificates)should be banned, by adding this certificates to internal browser ban list.
My understanding is that they backed away from this approach; can anyone provide confirmation one way or another?

Gerv
Flags: needinfo?(gerv)

Comment 6

3 years ago
Kazakhstan ISP provider and mobile network providers (Beeline Kazakhstan) still actively pushing this.

Official post from one of major Kazakhstan mobile network provider (liks to certificate disabled):
https://www.beeline.kz/ru/mobile_help/sertificatofsecurity

Comment 7

3 years ago
They have removed page about this ROOT CA for MitM atacks (after I submit bug reports to Mizilla and Google):
http://telecom.kz/certificate

Looks like the are trying to hide this issue from world.

But it still available in Google cache:
http://webcache.googleusercontent.com/search?q=cache:ezbYk9XPY5kJ:telecom.kz/certificate+&cd=1&hl=ru&ct=clnk

Moreover I have found they asking Mozilla to add this ROOT certificate as trusted to new browser builds.
So they will be able do MitM atacks more easily, no need to ask users add this CA manually.

Comment 8

3 years ago
(In reply to Gervase Markham [:gerv] from comment #5)
> My understanding is that they backed away from this approach; can anyone
> provide confirmation one way or another?
> 
> Gerv

The dupe (bug 1281265) listed telekom.kz/certificate , which when I looked at it yesterday still seemed to confirm it. I kid you not, today it is a 404 (but it has a cat! :-) ). Here's the wayback machine's copy, also from yesterday (which is a bit uncanny...): http://web.archive.org/web/20160621170834/http://telecom.kz/certificate . Chucking that through google translate was what I based the needinfo on. I just tried, and I can't find any plausible denial/confirmation of what's going on (which might be my non-existent Russian/Kazakh skills, but there we are).

Comment 9

3 years ago
(In reply to :Gijs Kruitbosch from comment #8)
> (In reply to Gervase Markham [:gerv] from comment #5)
> > My understanding is that they backed away from this approach; can anyone
> > provide confirmation one way or another?
> > 
> > Gerv
> 
> The dupe (bug 1281265) listed telekom.kz/certificate , which when I looked
> at it yesterday still seemed to confirm it. I kid you not, today it is a 404
> (but it has a cat! :-) ). Here's the wayback machine's copy, also from
> yesterday (which is a bit uncanny...):
> http://web.archive.org/web/20160621170834/http://telecom.kz/certificate .
> Chucking that through google translate was what I based the needinfo on. I
> just tried, and I can't find any plausible denial/confirmation of what's
> going on (which might be my non-existent Russian/Kazakh skills, but there we
> are).

For me looks like they removed this official publication from major ISP site after I actively post this issue to several bug trackers. Probably it also related to some post's about this issue in Internet (which is in russian mostly).
Assignee

Comment 10

3 years ago
clearing my needinfo on this bug. I don't think there is any action for Mozilla to take on this, other than to not move forward with Bug #1232689.
Flags: needinfo?(kwilson)
This bug doesn't request any specific action; resolving.

Gerv
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INCOMPLETE

Updated

2 years ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.