In a troubling rehash of events from July 2019, Mozilla was recently informed that Internet Service Providers (ISPs) in Kazakhstan have begun telling their customers that they must install a government-issued root certificate on their devices to access internet services. When a user in Kazakhstan installs the root certificate provided by their ISP, they are choosing to trust a Certificate Authority (CA) that enables the interception and decryption of network communications between Firefox and the website.
As we stated in 2019, we believe this act undermines the security of our users and the web, and it directly contradicts Principle 4 of the Mozilla Manifesto that states, “Individuals’ security and privacy on the internet are fundamental and must not be treated as optional.”
As a result, Mozilla, as well as Apple, Google and Microsoft will block the use of the Kazakhstan root CA certificate within their browsers. Following Mozilla’s established precedent, this means that it will not be trusted by Firefox even if the user has installed it. When attempting to access a website that responds with this certificate, Firefox users will see an error message stating that the certificate should not be trusted.
We encourage users in Kazakhstan affected by this change to research the use of virtual private network (VPN) software or the Tor Browser, to access the Web. We also strongly encourage anyone who followed the steps to install the Kazakhstan government root certificate to remove it from your devices and to immediately change your passwords, using a strong, unique password for each of your online accounts. The Password Manager built into Firefox can be used to do this quite easily and across devices.
Categories:
Cybersecurity Surveillance
Continuing to Protect our Users in Kazakhstan
Marshall Erwin and Kathleen Wilson