News outlets reported in 2019 that the Kazakhstan government has taken extreme steps to surveil citizens in its country. In particular, the government has been using a tool called a root certificate to spy on the online activities of citizens.
The misuse of root certificates isn’t only a problem in Kazakhstan, however. internet users around the world should be aware of how security tools can be misused. These tools can compromise privacy and collect data about the sites that you visit and the messages that you send online.
What Is a Root Certificate?
When you browse a website like MakeUseOf, you’ll see the URL starts with https instead of http. You’ll also see an icon that looks like a lock next to the URL in the address bar. This means that a type of encryption called Secure Socket Layer/Transport Layer Security (SSL/TLS) protects the website.
With this encryption, data passed between you and the website is secure. So you can be sure that the site you are accessing is the real MakeUseOf and not an imposter site trying to steal your data.
To get that lock symbol which users can trust, site owners pay an organization called a Certificate Authority (CA) to verify them. When a CA verifies a site is authentic, it issues a security certificate. The developers of web browsers like Firefox and Chrome keep a list of trusted CAs whose certificates they accept.
So when you visit a site like MakeUseOf, your browser finds the certificate, verifies it comes from a trusted CA, and displays the secure site.
A root certificate is the highest level of security certificate available. It is important because this “master certificate” verifies all the certificates below it. This means the security of the root certificate determines the security of an entire system. Developers uses root certificates for many valid reasons.
However, when a government or other entity misuses root certificates, they can install spyware on encrypted communications and access private data.
How Is the Government Misusing Root Certificates in Kazakhstan?
In July 2019, the government of Kazakhstan issued an advisory to internet Service Providers (ISPs) in the country. The government said the ISPs had to make installation of a government-issued root certificate mandatory for users to access the internet. The government-issued certificate is called “Qaznet” and is described as a “national security certificate”.
ISPs dutifully directed their customers to install the certificate if they wanted to access the internet.
Once the certificate is installed, the government can use it to intercept a huge amount of browsing data. The government can see activity on popular sites like Google, Facebook, and Twitter. It can even decrypt HTTPS and TLS connections, and access account usernames and passwords.
This means that no site is secure if the certificate is installed.
The government is essentially launching a “man in the middle” attack on the entire country, according to security blog The Hacker News. Because the ISPs make the certificate mandatory, there is no way for users to easily avoid it if they want to continue accessing the internet.
Furthermore, people can only install the certificate over a non-HTTPS connection. A person must use a less secure HTTP connection to install the certificate. And hackers could intercept this process to install their own damaging certificate instead.
How Are Technology Companies Responding to Invasive Root Certificates?
Technology companies including Google, Apple, and Mozilla have responded to the situation in Kazakhstan. They have pledged to protect users against government surveillance. The Google Chrome browser now blocks the certificate used by the Kazakhstan government, according to a blog post.
Google has taken this action “to protect users from the interception or modification of TLS connections made to websites.” Users don’t need to take any actions to be protected. The browser will automatically block this particular certificate.
Similarly, Mozilla has deployed a solution to its Firefox browser. This solution will also block the certificate used by the Kazakhstan government. The company announced the fix with a senior engineer at the company stating, “We don’t take actions like this lightly, but protecting our users and the integrity of the web is the reason Firefox exists.” Working in conjunction with Chrome, Firefox will automatically apply the block.
Mozilla also mentioned past instances of attempts by the Kazahkstan government to intercept internet traffic. This includes a previous unsuccessful attempt to include a root certificate in the Mozilla’s trusted root store program in 2015.
What Can You Do About the Misuse of Root Certificates as a User?
The misuse of root certificates is obviously worrying. But what can you actually do about it as a user? Firstly, if you are in Kazakhstan you should not install the certificate onto your device. If you have already installed it, uninstall it immediately. You should also change the passwords to all your online accounts. This will prevent the government from accessing your browsing data.
If you live in a country with high levels of internet surveillance, you should be on the lookout for dubious certificates. If you are asked to install a security certificate, you should research whether it is trustworthy before installing it on your device.
You should also take other steps to protect your data. You should use a VPN to shield you from surveillance. Also consider using the Tor browser to access the internet anonymously. Be careful with email as well, as it is very difficult to protect email messages from surveillance. Consider using a secure messaging app like Signal or Telegram instead.
Learn About How Governments Spy on You Online
The situation in Kazakhstan is just one example of how governments can spy on their citizens through their internet activities. You should learn about how governments and companies can deploy surveillance techniques so you can try to avoid them.
Lest you think that this is only a problem in other countries, remember that places like the US and the UK have a history of spying on their citizens as well. As a reminder, you can learn about times your data was shockingly handed over to the NSA.