Mozilla, the non-profit behind the Firefox browser, is debating whether to block a cryptographic certificate Kazakhstan's government is telling its citizens to download so authorities can monitor their web traffic.
The news highlights the role web browser maintainers can play in thwarting or enabling government surveillance, as well as the decisions organizations like Mozilla have to make when considering the safety of their users. The decision is being openly debated in a Google Group and on the Mozilla issue tracker Bugzilla, which shows the difficulty of maintaining open-source software that is used around the world, and the tough spots that government decisions can put developers in.
"The government is now encouraging users to install its root manually, and the current discussion focuses on whether that root certificate should be blocklisted," a Mozilla spokesperson told Motherboard in an email.
A root certificate is a file that once installed into a web browser can intercept and read encrypted traffic. Enterprises for example may install one onto employee's laptops so the company's security department can monitor for malware or other threats. Browsers also come bundled with a list of pre-approved and installed root certificates that belong to different certificate authorities, or CAs. Cybersecurity firm Symantec has a CA for instance. These CAs can then create certificates for individual websites, meaning your browser will trust the legitimacy of those sites.
But that trust can be abused. In the Kazakhstan case, the government's root certificate would allow authorities to read that same traffic.
Do you know anything else about internet surveillance? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
In 2015, Kazakhstan's government applied to have its root certificate included in web browsers by default. At the time, Mozilla denied this request. So now, Kazakhstan is telling citizens to just install the root certificate themselves directly. As ZDNet reported, people accessing the internet in Kazakhstan have recently been redirected to web pages telling them to install the root certificate themselves.
In this latest discussion, Mozilla isn't debating the merits of an application from Kazakhstan to include its root certificate, but whether Mozilla should proactively block it. The decision Mozilla makes will affect the internet experience and security of some of the 18 million people living in the autocratic country.
"Mozilla follows an open and transparent process for our CA program, with the current discussion on this topic taking place on our public forums," the Mozilla spokesperson added.
Much of the discussion is being carried out in public on threads dedicated to the issue. There could be downsides too: if Mozilla was to block the Kazakhstan root certificate, users may be unable to access some government services. Sydney Li, staff technologist at activist group the Electronic Frontier Foundation, said in an email that if HTTPS stops working because a browser blocks the certificate, the easy thing to do for users would be to switch to a browser where the certificate is still allowed.
Li added, "this is absolutely something that can be discussed by browser makers, now that this attack has been demonstrated at such a large scale in the real world. That being said, browser makers should also make sure to bring affected parties into the loop, including security researchers and Internet users based in Kazakhstan."
Google and Apple did not respond to a request for comment asking whether they are having similar discussions about blocking the Kazakhstan certificate in their own browsers. Microsoft declined to comment.
The Kazakh government's decision is also being discussed openly on the Wikimedia-L listserv, an email group for administrators and editors of Wikipedia and other related projects:
"I think this has serious implications for Wikipedia & Wikimedia, as not only they would be easily able to see which articles people read, but also steal login credentials, depseudonymize people and even hijack admin accounts," one user wrote. Users are discussing the possibility of showing a warning banner for people accessing Wikipedia from Kazakhstan or the possibility of making Wikipedia available in that country only via the Tor anonymity network or over a VPN. Kazakhstan has an inactive local Wikipedia chapter, and so any decision on what (if anything) to do will likely be made by people living outside the country.
In a statement in June, the United Nations Human Rights Office condemned Kazakhstan authorities for arresting at least 1000 peaceful protesters, including journalists.
Earlier this month, Mozilla blocked UAE cybersecurity company DarkMatter from becoming a certificate authority in Firefox due to multiple media reports which showed the firm was launching offensive hacking operations.
Update: This piece has been updated to include a response from Microsoft.
Subscribe to our new cybersecurity podcast, CYBER.