Kazakhstan Decides To Break The Internet, Wage All Out War On Encryption

from the mandated-middle-men dept

Wed, Dec 9th 2015 8:32am — Karl Bode

Starting on January 1, the country of Kazakhstan has formally declared war on privacy, encryption, and a secure Internet. A new law takes effect in the new year that will require all citizens of the country to install a national, government-mandated security certificate allowing the interception of all encrypted citizen communications. In short, the country has decided that it would be a downright nifty idea to break HTTPS and SSL, essentially launching a "man in the middle" attack on every resident of the country.

While it has since been removed, a statement posted to the website of the country's largest ISP KazakhTelecom (Google cache and rather sloppy translation) stated that the ISP was required to intercept encrypted traffic to "secure protection of Kazakhstan users" who have access to encrypted content from "foreign Internet resources":

"The national security certificate will secure protection of Kazakhstan users when using coded access protocols to foreign Internet resources...Detailed instructions for installation of security certificate will be placed in December 2015 on site www.telecom.kz.

Of course, such an effort will wind up doing the exact opposite of protecting the country's residents -- instead opening the door to rampant surveillance and potential security vulnerabilities should the certificate fall into the wrong hands. Oddly, while the notice states that all Windows, OS X, iOS and Android devices must adhere to the new law, Linux isn't mentioned, giving privacy conscious residents and journalists ample time to install their Linux distro of choice. Security experts are quick to point out the entire, ham-fisted affair is not only ethically idiotic, but likely impossible to fully implement and enforce:

"There are obvious, myriad ethical issues with this sort of mandated state surveillance," said (Security researcher Kenneth) White. "But I suspect that the political forces pushing these measures have grossly underestimated the technical hurdles and moral backlash that lay before them." "The best case scenario is that the regime will seriously weaken the security of only a subset of their citizens," said White.

Bang up job, team! Last month, Human Rights Watch described Kazakhstan as an authoritarian dictatorship with "few tangible and meaningful human rights." Freedom House, meanwhile, ranks Kazakhstan poorly when it comes to Internet freedom, noting that the country's war on religious extremists has resulted in an increase in Internet filters, a total blockade of Live Journal, intensified surveillance at cybercafes, and a spike in "physical assaults on bloggers and online journalists."

It's easy to dismiss what Kazakhstan is doing as the drunken stumbling of a tin pot dictatorship, until you remember that the UK is proposing something not entirely dissimilar, and both current leading U.S. Presidential candidates dream of waging their own war on encryption and common sense.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, kazakhstan, man in the middle, privacy, security, surveillance

29 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

That One Guy (profile), 9 Dec 2015 @ 6:44am

Not 'if', 'when'
Of course, such an effort will wind up doing the exact opposite of protecting the country's residents -- instead opening the door to rampant surveillance and potential security vulnerabilities should the certificate fall into the wrong hands.

That someone with less than noble intentions will get their hands on what they need to take advantage of the mandatory malware is a given, there's no question about that, the only thing up for question is how long it will take. Personally I'd guess a month at most, given you're talking about something that creates vulnerabilities in the computers of everyone within the country.

Of course with regards to the surveillance aspect falling into the 'wrong hands', that will take all of zero days, given the government will be using it in that manner from the get-go.
[ link to this | view in thread ]
TasMot (profile), 9 Dec 2015 @ 8:56am

What would be interesting to follow but we will probably never hear about is how long it will take residents to learn to create virtual machine images that can spin up without the "mandated" encryption bypass. Then they can spin up an image, do there private business that can be kept private, then delete that session as though nothing happened.
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 8:56am

In related news ... Brick and Mortar businesses across Kazakhstan hailed the decision as a great idea.
[ link to this | view in thread ]
pegr, 9 Dec 2015 @ 9:01am

Re: Not 'if', 'when'
>"and potential security vulnerabilities should the certificate fall into the wrong hands."

No, I can't sign on to this. At least, it's no worse than what we have already. Don't trust the government of Kazakhstan? How about DigiNotar or Comodo or Thawt or NetSol or Synmantec or Microsoft? It's all exactly the same risk. Not more, not less, exactly the same.
[ link to this | view in thread ]
David, 9 Dec 2015 @ 9:09am

Re: Re: Not 'if', 'when'
Last time I looked, Microsoft did not incarcerate and execute people. I have to admit that I stopped reading EULAs some time after I stopped using Windows, and the trend was clearly going in that direction. But I suppose if they had acted on such provisions already, it would have been in the news.
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 9:15am

...the country's war on religious extremists has resulted in an increase in Internet filters, a total blockade of Live Journal, intensified surveillance at cybercafes, and a spike in "physical assaults on bloggers and online journalists."
Don't give our politicians any ideas...
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 9:15am

Re: Re: Not 'if', 'when'
Such a certificate requires a root certificate be given to all ISP's or whoever is doing the man in the middle attack. This is required so that they can sign certificate for sites that users want to visit. Time to leak for such a certificate will likely be measured in hours or days.

What are the odds that it is also a software signing certificate, to make installing of spyware easier?
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 9:18am

This will not stop terrorists and criminals using their own secure encryption, but will be very useful for spotting any signs of political dissent by everyday citizens.
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 9:18am

Re: Re: Re: Not 'if', 'when'
"Last time I looked, Microsoft did not incarcerate and execute people"

you are right
Microsoft does not murder and torture people,
THE US GOVERNMENT does.
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 9:18am

Re: Re: Not 'if', 'when'
Not in the slightest. Corporations do not have the power of coercion over the people the way the governments do. A cert issuer doesn't have (unreasonable?) laws or armed police or courts or prisons.
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 9:27am

this is a dream if you want to plant evidence
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 9:28am

the thing i'll never understand is why wage war and get millions of people killed trying to stop the same sort of thing from encroaching the planet 70 years ago, only to insist that the same thing must happen now to prevent what is happening which is the same as then? do the politicians in charge now think things will be any different? it's self-interested bullshit expectations if they do!
i still think that what is going on is instigated to get the planet run like a massive corporation, where the only people with rights are the dozen at the top of the tree, the ones who actually want this and have never had a better chance of getting it! these surveillance laws are meant to ensure that the people and/or security forces cant do a damn thing without it being known and measures put in place to either prevent, stop or dispel any counter action to what the dozen want!!
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 9:29am

Followed by the US, UK, France and other "democratic" countries who are now all saying in choir:

"If Kazakhstan, China or Russia do that, why aren't we doing it, too?!"
[ link to this | view in thread ]
sigalrm (profile), 9 Dec 2015 @ 9:51am

Re:
This will not stop terrorists and criminals using their own secure encryption

Actually, Kazakhstan is an edge case where, with regards to encrypted TCP and UDP flows at least, it might.

Kazakhstan is a relatively small country, and their telco's and ISPs likely have a small number of connections to ISP's outside Kazakhstan.

The ability to analyze and shut down traffic flows you can't decrypt is well within the capabilities of most "next-gen" firewalls.

Next-gen firewalls won't necessarily help with encrypted data that's transferred over non-encrypted sessions, but there are systems on the market that can catch that in most cases.

It's unlikely they could actually shut it down 100%, but 95%+ efficiency is probably possible for them. Couple that with period, high-visibility arrests and you could call it "close enough"
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 9:58am

Re: Not 'if', 'when'
Not just the government, but government contractors, too. Including those contractors that have 'contracts' with other governments.
[ link to this | view in thread ]
bwburke94 (profile), 9 Dec 2015 @ 10:01am

Although Kazakhstan a glorious country, it have a problem, too: economic, social, and human rights.
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 10:07am

Open the floodgates!
[ link to this | view in thread ]
Concerned Citizen, 9 Dec 2015 @ 10:32am

A subset of their citizens
And guess which subset that will be?

The very same subset that actually puts their faith and trust in the government.

The jaded, disenfranchised, cynical and downright frustrated citizens will not have faith in this scheme. Those who understand the technological ramifications of this will not have faith in this scheme.

No, it is those the government relies on most. Those that put some measure of faith in the government. Those who are loyal and patriotic. Those the government wants most to keep safe... who are going to be affected, attacked and harmed by this.

Governments wonder why they face rising dissent while simultaneously destroying public trust over and over...

and over...

and over...
[ link to this | view in thread ]
pegr, 9 Dec 2015 @ 10:40am

Re: Re: Re: Not 'if', 'when'
The context was, if they don't keep the cert secure, folks could be subject to hacking from online criminals.

Reading: It's fundamental!
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 10:58am

The USSA started using One time pads in 1930. Anyone want to bet that they will making a comeback.

BTW, there are easy methods of transmitting one time pad keys in the clear to facilitate such comm.
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 11:13am

BREAK THE INTERNET OH NOES!
[ link to this | view in thread ]
Richard (profile), 9 Dec 2015 @ 12:35pm

Good News
Hopefully this will fall apart quickly enough to serve as a warning to others.
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 12:38pm

Re:
Exactly.
The 'president' (completely fake elections where people are forced to vote at gun-point and often they just make up entire villages of voters) Nursultan Nazarbayev took MASSIVE bribes from various anti-internet companies that want to go back to the 'old way' of doing things via going to a physical bricks & mortar store, and this is the result, a blatant and obvious attempt to make online banking/purchasing extremely risky.
[ link to this | view in thread ]
Steve (profile), 9 Dec 2015 @ 12:54pm

Kazakhstan should try Kickstarter, i'm sure the US & GB would help fund this new business.
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 2:13pm

Re:
In later news Australia does the same as the financial donors to the current right wing government are B&M owners who have tried for years to stop internet shopping so they can continue to price gouge the citizens. And to think that this week we have been told we must be innovative to prosper after the mining boom. This new law sure is innovative for the dinosaurs of business, Australia style.
[ link to this | view in thread ]
Ryunosuke, 9 Dec 2015 @ 3:54pm

Time to go grab some popcorn and watch the clusterfuck unfold. Let's see how Feinstein, et al. try to defend their propositions when Kazakhstan will fail horribly or be such a success that it is condemned by the world.
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 8:22pm

How is this even practical? There must be hundred of thousands of embedded devices that cannot be updated.
[ link to this | view in thread ]
Anonymous Coward, 9 Dec 2015 @ 8:26pm

Re:
>BTW, there are easy methods of transmitting one time pad keys in the clear to facilitate such comm.
Such as?
[ link to this | view in thread ]
Wendy Cockcroft, 11 Dec 2015 @ 7:52am

There's a Borat joke in there somewhere.
[ link to this | view in thread ]