On Wednesday, Google and Mozilla announced they would block an encryption certificate the Kazakhstan government has forced citizens to download. The certificate allows authorities to intercept Facebook, Twitter, Google, and other passwords of the 18 million people in the country. But now with two of the main browser makers pushing back, that surveillance will be more difficult for the government to carry out.
“We will never tolerate any attempt, by any organization—government or otherwise—to compromise Chrome users’ data. We have implemented protections from this specific issue, and will always take action to secure our users around the world," Parisa Tabriz, senior engineering director for Chrome, said in a statement. An Apple spokesperson said they had also blocked the certificate.
A root certificate is a file that once installed inside a user's web browser can read encrypted traffic. Browsers come bundled with a list of trusted organizations that issue root certificates, called certificate authorities, or CAs. CAs can then issue individual certificates for specific sites.
The government of Kazakhstan is not a trusted authority however, and has a history of using sweeping surveillance powers on its population. Last month, Mozilla and some other open source projects debated how to respond when Kazakhstan started to force people in the country to download the root certificate.
Do you know anything else about this certificate? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
“People around the world trust Firefox to protect them as they navigate the internet, especially when it comes to keeping them safe from attacks like this that undermine their security. We don't take actions like this lightly, but protecting our users and the integrity of the web is the reason Firefox exists," Marshall Erwin, senior director of trust and security, said in a statement.
One potential move the Kazakhstan government could make is mandate the downloading of its own custom browser with the certificate already installed, instead of relying on browser manufacturers to allow the certificate.
Weeks after Kazakhstan internet service providers told users to download the certificate, the government announced the move is only part of a "test" and that users can remove the file as use the internet as normal, Reuters reported.
A Microsoft spokesperson said in a statement "The Certificate Authority (CA) in question is not a trusted CA in our Trusted Root Program. A full list of trusted CA’s can be found here."
An Apple spokesperson wrote in a statement "Apple believes privacy is a fundamental human right, and we design every Apple product from the ground up to protect personal information. We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue." In response to a follow-up question, the spokesperson added, "We have taken steps to block the cert."
Update: This piece has been updated with a statement and some additional comment from Apple.
Subscribe to our new cybersecurity podcast, CYBER.