Turns out that the root certificate was a Trojan Horse. It allowed the Kazakhstan government to perform a "man-in-the-middle" or MitM attack against HTTPS connections to a list of 37 domains, including Facebook, Twitter, Google and more, according to a study published by University of Michigan's Censored Planet. Normally, HTTPS websites are encrypted in a way that ISPs or governments won't be able to access it. In the case of Kazakhstan, the MitM attack broke the encryption in these sites, allowing the government to freely spy on private internet activity.
Both the Chrome and Firefox browsers in Kazakhstan will bar the illicit certificate before users can even download it. Mozilla will block Kazakhstan's root certificate with OneCRL, which Firefox has been using to revoke certificates since 2015. Previously, users who accessed the internet in Kazakhstan received a message on their smartphone or computer asking them to install the root certificate.
Now when Firefox detects the certificate in Kazakhstan, it will instead block the connection and display an error message. "Research shows that many users click through errors without understanding what they mean, leaving them no better off than if there were no warning at all. We believe this is the appropriate response because users in Kazakhstan are not being given a meaningful choice over whether to install the certificate and because this attack undermines the integrity of a critical network security mechanism," said Mozilla's Senior Director of Trust & Safety Marshall Erwin in an email to Engadget.
Chrome is blocking the certificate as well. In addition, it will be added to a blocklist in the Chromium source code and included in other Chromium-based browsers in the future.
Apple has also blocked the certificate in the Safari browser. "Apple believes privacy is a fundamental human right, and we design every Apple product from the ground up to protect personal information. We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue," wrote an Apple spokesperson in a statement to Engadget.
At first, the move may seem unnecessary given that Kazakhstan stopped requiring users to install the certificate a couple of weeks ago. Reuters reported that Kazakhstan earlier this month halted deployment of its surveillance system after facing legal challenges. A group of Kazakh lawyers sued three of the country's mobile operators for restricting internet access after users refused to install the certificate. Kazakhstan's State Security Committee backed off in response, issuing a statement that called the certificate rollout a "test" that was now complete.
In a statement to Engadget, Mozilla's Erwin acknowledged that the company was aware of Kazakhstan ending the test. Users could still be vulnerable if they have the certificate installed. "While the government's test has apparently ended, the mechanisms it can use to spy on web traffic is still in place. And some users may still have this malicious certificate installed. Essentially, these users are still vulnerable, even if the attack is not ongoing. We aren't waiting for the vulnerability to be exploited again in order to fix it," wrote Erwin.
Given Kazakhstan's track record, it's not unlikely that such a vulnerability will be exploited again. In its 2018 Freedom on the Net report, Freedom House classified Kazakhstan as "not free" due to the authoritarian regime's tight controls on media and internet. Internet censorship in the nation is currently at an all-time high under the regime of its current leader, President Kassym-Jomart Tokayev. The government regularly blocks news sites and shuts down the internet and messaging services following protests. Due to a 2014 law, state agencies can freely block websites without a court order. According to the Committee to Protect Journalists, over 50,000 materials have been blocked by the government since the law passed.
Erwin said that Mozilla will continue to monitor the government of Kazakhstan's actions and will take action if it issues similar certificates in the future. "If the Government of Kazakhstan were to push users to install a new certificate so they could resume interception, we would take similar action to protect the security and privacy of Firefox users," wrote Erwin.
Update 8/21/19 12:47 PM ET: This article has been updated to include a statement from Apple.