Kazakh here. Fuck, what do we do? Any suggestions other than trying to raise awareness?
To give some context, the reason why they are getting away with such brute methods is that the most people wouldn't understand the full implication. I would be surprised if this would prove difficult to enforce - the first thing an ordinary person would do when, say, Facebook wouldn't load is to call up the Kazakhtelecom's support and the support guy would tell them to "press that button that says 'I trust this certificate'" and they would comply. There also hasn't been an uproar re government snooping into private citizens' communication, the kind that US had with Snowden etc., so a lot of people are likely to accept the "for your own security" talk at face value without much skepticism. It's also unlikely that even heightened awareness will inspire much backlash, as there is no real track record of grassroots organizing, even when the government tightens the screws. To its credit, the government has been quite skillful at balancing at just below the limit of pissing people off enough to make them go to the streets for the last twenty years (soaring oil prices in the last decade helped as well).
What do you do? You immediately reach out to Apple, Google, Facebook, Twitter, Box, Dropbox, Tumblr, and any other popular platform which has mobile apps. You ask, or down-right demand they implement certificate pinning in their apps so they will fail when middled with the government provided certificate. This will in turn break access to those platforms via mobile apps which will result in very real and direct impact to citizens who will then hopefully wake up and pressure the government to roll-back the program or at least put exceptions in place. You continue this strategy with banks, etc., until it becomes clear to the government that this plan will not work. Note that cert pinning for mobile and desktop apps should have happened long ago & this might be the perfect opportunity to drive it to happen.
Down-right demand? With what authority? It sounds like you're confusing these corporations for governments, as if they had to enforce your human rights..
The authority of the free market. Did web PKI develop because of governments? No. In fact, quite the contrary. Similarly, if consumers are educated and aware of the weaknesses of current cryptography controls in light of new threats such as governments requiring the installation of their own root CA so they can middle the connection, maybe they'll drive demand for better controls, controls which already exist.
Authority is a self-made concept, and governments are just a type of corporation. Of course neither "has" to enforce your human rights, but if these corporations stood up for the people it would be good for everyone involved.
Certificate pinning is absolutely targeted at stopping the use of rogue root CA's installed in devices. OWASP does a pretty good job of covering the topic.
You just linked to 20 screenfuls of text that explain pinning in general, without a single mention of "rogue".
The fact is that pinning as implemented in Chrome exempts installed CA's from pinning checks because they want to allow administrator-mandated MITM - apparently "market requirement" because it's a common practice in schools and workplaces in some countries that lack reasonable communications privacy legislation.
You might have a point if Chrome hadn't been the first browser to implement pinning, therefore defining the concept in web context to a large extent.
You may argue that this is is broken behaviour, but that's what pinning currently is in browsers. Seems it's this way in Firefox too ("pinning not enforced if the trust anchor is a user inserted CA, default" - https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinn...)
Apps can certificate pin in 2 ways. One, they can directly inspect the certificate fingerprint and pin to a specific fingerprint (I chose this method for Level Money's product).
The other option is to examine and pin the signing certificate. This is more code and more prone to error, but makes your connection slighty more robus in the face of a compromised certificate.
And yes, both techniques work even if a cert in your root store has another certificate. Applications can simply refuse to function, but this has to be done on an ad hoc basis.
Chrome does not perform pin validation when the
certificate chain chains up to a private trust anchor.
A key result of this policy is that private trust
anchors can be used to proxy (or MITM) connections,
even to pinned sites.
You are right of course, but there are apparently a whole lot of people of the opinion that since Chrome was (one of the?) first apps implementing some sort of pinning, that this is de facto what certificate pinning "is".
I don't really agree with that, but it's IMO more useful to acknowledge the confusion, than having an argument about whether Chrome really does pinning or even gets to de facto define pinning or not, since this isn't even about Chrome :)
I get your point. The notion of designating a broken implementation as "the standard" makes me queasy, ever since IE6 happened.
But still, I would have much preferred if the GP would have started their comment with "yes, but" instead of "sorry, no". That would have made the distinction much clearer.
How would the telco get their Private Trust Anchor into the certificate store ? More social engineering, i suppose. At the app level though, a chain resolution like what you describe is not required.
They will be telling citizens to install a "national security certificate". After they implement this, you won't be able to access the internet without it.
They COULD do that but they almost certainly aren't doing that. That's a tedious task that requires a lot of time and technically competent employees.
Also we are talking about apps implementing certificate pinning. Not reading from the OS store etc., and therefore, I don't see Kazakhstan reverse engineering and patching executables.
Why the hell doesn't Chrome have its own root cert store by now anyway? I can't believe they are leaving such an important trust piece to Microsoft's Windows...
I don't think you understand how certificate pinning works then. Many apps right now allow local trust stores, but with this announcement I bet that'll change.
> most people wouldn't understand the full implication
So attack that. Tell a story. What does this allow the government to do? Could a jealous ex-lover who works for the government read their ex's messages? Could the local mayor find out if you've got a medical problem? Get an illustrator to draw these up as little comics. Make images that people can understand.
I created the above image. Just to give you an idea of how important it is to make sure that the message is easy to absorb, a few years ago this made it into the WCIT leaks:
Check out the fifth to last page, which is basically identical to what I created, if presented a bit worse. Did anyone give a shit? Nope.
Is that a genuine logo of the fucking ITU, the international body probably most obliged to prevent this kind of shit globally, and was this put together by a "senior staff member of the ITU" rather than /u/quink on reddit? Yup.
Did anything of that presentation make it to the media or public discussion? Nope. Meanwhile, my PNG has been posted here on HN 6 years after I first created it.
Let me know if you need my help, but I'm not at all sure how to best broadcast that message. Keeping away the MITM (who is here employed by an "elected" government with executive powers and "judicial oversight" acting "in the interest of public security" rather than a bogeyman or a corporation) is harder than protecting the ability to consume. Maybe the answer lies in making people afraid for their money.
Anyone with access to the private key for the certificate, which includes anyone with access to the multitude of servers that relay traffic for the entire country, could technically drain everyone's bank accounts and give away your shares at their discretion, if you've ever used online banking or trading in Kazakhstan. A single bad memory or whatever bug in some software somewhere and the number that's the private key is in the open.
In all honesty, make investors and bankers afraid and any government will shut up. As for ordinary lives of people, PRISM has shown us that they don't really care about this security stuff.
Thanks so much for your offer to help - as soon as I figure out the best course of action I might contact you. The fact that they took the page down gives some hope - maybe they're not as reckless and understand that the public won't be happy about this. We'll see what happens next.
>In all honesty, make investors and bankers afraid and any government will shut up.
This is a great idea in general, but it requires a strong corporate/investor establishment that is independent from the government. Unfortunately and unsurprisingly, 90% of the Kazakh Forbes list are either 1) straight up politicians, 2) politicians' close relatives (offspring and in-laws), 3) those, whose involvement with government is "open secret" (e.g. someone rumored as being a president's personal banker), or 4) those doing in oil and gas, heavily regulated industries where government's cooperation is required to make it work. :(
>Kazakh here. Fuck, what do we do? Any suggestions other than trying to raise awareness?
Revolution or leaving the country are your only choices. There is no democracy so there is probably no way to resolve this grievance, and I doubt it would be anywhere near the top of list for most citizens.
You can speak english and probably have computer skills, so I hope it would be possible for you to get out.
> There is no democracy so there is probably no way to resolve this grievance
Just for the record, look to the US for a good example of how well democracy works for "resolving grievances".
Occupy Wall Street protesters aired some grievances, and were beaten and tased into submission. The same happens anywhere, every time the citizenry actually demands something.
It's kind of amazing how people still hold democracy as some sort of 'value' to strive for, when in reality it's just a PR-facade.
Beaten into submission? Maybe they tried that, but eventually what worked was that they were legislated into submission. They found some technicality for why they couldn't legally occupy that space, and everything went downhill fast after that. (I could be wrong. I wasn't paying much attention at the time.)
We can rest assured there were plenty of beatings and tasings involved - that's a big part of why some "people" become police officers in the first place.
But the point is that the same thing happens everywhere. Not that long ago, Hong Kong's people protested against China appointing their rulers. They were beaten and maced etc.
Brazilians protested against a massive waste of their money on The World Cup (or some such), and got swiftly brutalized by the police. Venezuelans protested economic destruction etc, and got brutalized.
You see, as long as people just endure whatever bullshit their rulers are inflicting on them, the rulers don't have to give a fuck about them. But when people actually resist, they are violently repressed.
Otherwise the masses might start entertaining the notion that maybe they don't have to just take all the bullshit bureaucracy, massive looting/exploitation, surveillance and abuse they're subjected to after all, and their rulers definitely don't want that to happen.
The whole point of being a ruler is exploiting your subjects. Surveillance and brutality are mostly just a part of what it takes to maintain your rule over them.
I'd like to point out one difference: as far as I know, in the US police are never given orders to hurt protesters. In theory, they can even get in trouble for doing so. In the other countries you listed, this was official policy.
In any case, my point was that in the Occupy Wall Street case, these things occurred, but they are not what caused the final blow. The final blow was a court ruling that said they have to clear out. (The wording was a bit more subtle, but that's what Wikipedia is for.)
> as far as I know, in the US police are never given orders to hurt protesters. In theory, they can even get in trouble for doing so. In the other countries you listed, this was official policy.
Well, they don't need orders to hurt protesters. Some of them will actively seek out opportunities for doing so, because that's what they signed up for. Those would be the psychopaths, by the way.
Yes, in theory they can get in trouble for hurting people, but in practice we all know they don't.
> The final blow was a court ruling that said they have to clear out. (The wording was a bit more subtle, but that's what Wikipedia is for.)
I have no clue if that's accurate, but it sure would have been convenient for Wall Street.
- A life-long educational program for the people, starting with study of basic logic, rhetoric, and obscurantism. Consider collaborating with people trying to do the same in e.g. Russia.
- Joining the burgeoning autocratic bureaucracy and playing by its rules to bring change from within. If you don't feel like you have the energy or skills, consider supporting a like-minded, but more capable person in their career. It's never a crime to support a growing bureaucrat.
The biggest challenge you're going to face is defining a common idea to unite the people with whom you want to collaborate. "Like-minded" should mean something specific, or else. This idea should paint a picture compelling enough to motivate people to act, even if only a smallish number, and big enough to eclipse the lesser differences among the collaborators.
Raise awareness, spread the word about Tor. If they start running attacks against Tor, start an uproar. And pitch Tor as an elementary security measure; say "do this to make your communications more secure." It isn't perfect, but maybe it's better than nothing?
Kazakhstan already blocks Tor website and its bootstrap nodes. Also I heard that it has DPI hardware and made an attempts to block Tor traffic (but last time Tor worked for me with my private bridge). No uproars here :) Most citizens are not educated to understand what Tor is and will trust government, who'll tell them that Tor is for criminals and must be forbidden.
I suspect Kazakhstan doenst have the resources to mount attacks against tor unless they can pay some western company to do it for them.
Blocking it is a somewhat different matter.
To give some context, the reason why they are getting away with such brute methods is that the most people wouldn't understand the full implication. I would be surprised if this would prove difficult to enforce - the first thing an ordinary person would do when, say, Facebook wouldn't load is to call up the Kazakhtelecom's support and the support guy would tell them to "press that button that says 'I trust this certificate'" and they would comply. There also hasn't been an uproar re government snooping into private citizens' communication, the kind that US had with Snowden etc., so a lot of people are likely to accept the "for your own security" talk at face value without much skepticism. It's also unlikely that even heightened awareness will inspire much backlash, as there is no real track record of grassroots organizing, even when the government tightens the screws. To its credit, the government has been quite skillful at balancing at just below the limit of pissing people off enough to make them go to the streets for the last twenty years (soaring oil prices in the last decade helped as well).