Kazakhstan Decides To Break The Internet, Wage All Out War On Encryption

from the mandated-middle-men dept

Starting on January 1, the country of Kazakhstan has formally declared war on privacy, encryption, and a secure Internet. A new law takes effect in the new year that will require all citizens of the country to install a national, government-mandated security certificate allowing the interception of all encrypted citizen communications. In short, the country has decided that it would be a downright nifty idea to break HTTPS and SSL, essentially launching a “man in the middle” attack on every resident of the country.

While it has since been removed, a statement posted to the website of the country’s largest ISP KazakhTelecom (Google cache and rather sloppy translation) stated that the ISP was required to intercept encrypted traffic to “secure protection of Kazakhstan users” who have access to encrypted content from “foreign Internet resources”:

“The national security certificate will secure protection of Kazakhstan users when using coded access protocols to foreign Internet resources…Detailed instructions for installation of security certificate will be placed in December 2015 on site www.telecom.kz.

Of course, such an effort will wind up doing the exact opposite of protecting the country’s residents — instead opening the door to rampant surveillance and potential security vulnerabilities should the certificate fall into the wrong hands. Oddly, while the notice states that all Windows, OS X, iOS and Android devices must adhere to the new law, Linux isn’t mentioned, giving privacy conscious residents and journalists ample time to install their Linux distro of choice. Security experts are quick to point out the entire, ham-fisted affair is not only ethically idiotic, but likely impossible to fully implement and enforce:

“There are obvious, myriad ethical issues with this sort of mandated state surveillance,” said (Security researcher Kenneth) White. “But I suspect that the political forces pushing these measures have grossly underestimated the technical hurdles and moral backlash that lay before them.” “The best case scenario is that the regime will seriously weaken the security of only a subset of their citizens,” said White.

Bang up job, team! Last month, Human Rights Watch described Kazakhstan as an authoritarian dictatorship with “few tangible and meaningful human rights.” Freedom House, meanwhile, ranks Kazakhstan poorly when it comes to Internet freedom, noting that the country’s war on religious extremists has resulted in an increase in Internet filters, a total blockade of Live Journal, intensified surveillance at cybercafes, and a spike in “physical assaults on bloggers and online journalists.”

It’s easy to dismiss what Kazakhstan is doing as the drunken stumbling of a tin pot dictatorship, until you remember that the UK is proposing something not entirely dissimilar, and both current leading U.S. Presidential candidates dream of waging their own war on encryption and common sense.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Kazakhstan Decides To Break The Internet, Wage All Out War On Encryption”

Subscribe: RSS Leave a comment
29 Comments
That One Guysays:

Not 'if', 'when'

Of course, such an effort will wind up doing the exact opposite of protecting the country’s residents — instead opening the door to rampant surveillance and potential security vulnerabilities should the certificate fall into the wrong hands.

That someone with less than noble intentions will get their hands on what they need to take advantage of the mandatory malware is a given, there’s no question about that, the only thing up for question is how long it will take. Personally I’d guess a month at most, given you’re talking about something that creates vulnerabilities in the computers of everyone within the country.

Of course with regards to the surveillance aspect falling into the ‘wrong hands’, that will take all of zero days, given the government will be using it in that manner from the get-go.

pegrsays:

Re: Re: Not 'if', 'when'

“and potential security vulnerabilities should the certificate fall into the wrong hands.”

No, I can’t sign on to this. At least, it’s no worse than what we have already. Don’t trust the government of Kazakhstan? How about DigiNotar or Comodo or Thawt or NetSol or Synmantec or Microsoft? It’s all exactly the same risk. Not more, not less, exactly the same.

Davidsays:

Re: Re: Re: Re: Not 'if', 'when'

Last time I looked, Microsoft did not incarcerate and execute people. I have to admit that I stopped reading EULAs some time after I stopped using Windows, and the trend was clearly going in that direction. But I suppose if they had acted on such provisions already, it would have been in the news.

Anonymoussays:

Re: Re: Re: Re: Not 'if', 'when'

Such a certificate requires a root certificate be given to all ISP’s or whoever is doing the man in the middle attack. This is required so that they can sign certificate for sites that users want to visit. Time to leak for such a certificate will likely be measured in hours or days.

What are the odds that it is also a software signing certificate, to make installing of spyware easier?

TasMotsays:

What would be interesting to follow but we will probably never hear about is how long it will take residents to learn to create virtual machine images that can spin up without the “mandated” encryption bypass. Then they can spin up an image, do there private business that can be kept private, then delete that session as though nothing happened.

Anonymoussays:

Re: Re:

Exactly.
The ‘president’ (completely fake elections where people are forced to vote at gun-point and often they just make up entire villages of voters) Nursultan Nazarbayev took MASSIVE bribes from various anti-internet companies that want to go back to the ‘old way’ of doing things via going to a physical bricks & mortar store, and this is the result, a blatant and obvious attempt to make online banking/purchasing extremely risky.

Anonymoussays:

Re: Re:

In later news Australia does the same as the financial donors to the current right wing government are B&M owners who have tried for years to stop internet shopping so they can continue to price gouge the citizens. And to think that this week we have been told we must be innovative to prosper after the mining boom. This new law sure is innovative for the dinosaurs of business, Australia style.

sigalrmsays:

Re: Re:

This will not stop terrorists and criminals using their own secure encryption

Actually, Kazakhstan is an edge case where, with regards to encrypted TCP and UDP flows at least, it might.

Kazakhstan is a relatively small country, and their telco’s and ISPs likely have a small number of connections to ISP’s outside Kazakhstan.

The ability to analyze and shut down traffic flows you can’t decrypt is well within the capabilities of most “next-gen” firewalls.

Next-gen firewalls won’t necessarily help with encrypted data that’s transferred over non-encrypted sessions, but there are systems on the market that can catch that in most cases.

It’s unlikely they could actually shut it down 100%, but 95%+ efficiency is probably possible for them. Couple that with period, high-visibility arrests and you could call it “close enough”

Anonymoussays:

the thing i’ll never understand is why wage war and get millions of people killed trying to stop the same sort of thing from encroaching the planet 70 years ago, only to insist that the same thing must happen now to prevent what is happening which is the same as then? do the politicians in charge now think things will be any different? it’s self-interested bullshit expectations if they do!
i still think that what is going on is instigated to get the planet run like a massive corporation, where the only people with rights are the dozen at the top of the tree, the ones who actually want this and have never had a better chance of getting it! these surveillance laws are meant to ensure that the people and/or security forces cant do a damn thing without it being known and measures put in place to either prevent, stop or dispel any counter action to what the dozen want!!

Concerned Citizensays:

A subset of their citizens

And guess which subset that will be?

The very same subset that actually puts their faith and trust in the government.

The jaded, disenfranchised, cynical and downright frustrated citizens will not have faith in this scheme. Those who understand the technological ramifications of this will not have faith in this scheme.

No, it is those the government relies on most. Those that put some measure of faith in the government. Those who are loyal and patriotic. Those the government wants most to keep safe… who are going to be affected, attacked and harmed by this.

Governments wonder why they face rising dissent while simultaneously destroying public trust over and over…

and over…

and over…

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter




Techdirt Deals
Report this ad??|??Hide Techdirt ads

The latest chatter on the Techdirt Insider Discord channel...

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it