{"id":2482,"date":"2019-08-21T03:00:49","date_gmt":"2019-08-21T10:00:49","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2482"},"modified":"2019-08-21T10:38:17","modified_gmt":"2019-08-21T17:38:17","slug":"protecting-our-users-in-kazakhstan","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2019\/08\/21\/protecting-our-users-in-kazakhstan\/","title":{"rendered":"Protecting our Users in Kazakhstan"},"content":{"rendered":"<p>Russian translation: <a href=\"https:\/\/blog.mozilla.org\/security\/%d0%b7%d0%b0%d1%89%d0%b8%d1%82%d0%b0-%d0%bf%d0%be%d0%bb%d1%8c%d0%b7%d0%be%d0%b2%d0%b0%d1%82%d0%b5%d0%bb%d0%b5%d0%b9-%d0%bd%d0%b0-%d1%82%d0%b5%d1%80%d1%80%d0%b8%d1%82%d0%be%d1%80%d0%b8%d0%b8-%d0%ba\/\">\u0415\u0441\u043b\u0438 \u0432\u044b \u0445\u043e\u0442\u0438\u0442\u0435 \u043e\u0437\u043d\u0430\u043a\u043e\u043c\u0438\u0442\u044c\u0441\u044f \u0441 \u044d\u0442\u0438\u043c \u0442\u0435\u043a\u0441\u0442\u043e\u043c \u043d\u0430 \u0440\u0443\u0441\u0441\u043a\u043e\u043c \u044f\u0437\u044b\u043a\u0435, \u043d\u0430\u0436\u043c\u0438\u0442\u0435 \u0437\u0434\u0435\u0441\u044c.<\/a><\/p>\n<p>Kazakh translation: <a href=\"https:\/\/blog.mozilla.org\/security\/\u049b\u0430\u0437\u0430\u049b\u0441\u0442\u0430\u043d\u0434\u0430\u0493\u044b-\u043f\u0430\u0439\u0434\u0430\u043b\u0430\u043d\u0443\u0448\u044b\u043b\u0430\u0440\u044b\u043c\u044b\u0437\u0434\u044b\/\">\u0411\u04b1\u043b \u043f\u043e\u0441\u0442\u044b\u043d\u044b \u049b\u0430\u0437\u0430\u049b \u0442\u0456\u043b\u0456\u043d\u0434\u0435 \u043c\u044b\u043d\u0430 \u0436\u0435\u0440\u0434\u0435\u043d \u043e\u049b\u044b\u04a3\u044b\u0437.<\/a><\/p>\n<p>In July, a Firefox user informed Mozilla of a security issue impacting Firefox users in Kazakhstan: They stated that Internet Service Providers (ISPs) in Kazakhstan had begun telling their customers that they must install a government-issued root certificate on their devices. What the ISPs didn\u2019t tell their customers was that the certificate was being used to intercept network communications. Other users and <a href=\"https:\/\/www.f5.com\/labs\/articles\/threat-intelligence\/kazakhstan-attempts-to-mitm-itscitizens\">researchers confirmed these claims<\/a>, and <a href=\"https:\/\/censoredplanet.org\/kazakhstan\">listed 3 dozen popular social media and communications sites that were affected<\/a>.<\/p>\n<p>The security and privacy of HTTPS encrypted communications in Firefox and other browsers relies on trusted Certificate Authorities (CAs) to issue website certificates only to someone that controls the domain name or website. For example, you and I can\u2019t obtain a trusted certificate for www.facebook.com because Mozilla has <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/\">strict policies<\/a> for all CAs trusted by Firefox which only allow an authorized person to get a certificate for that domain. However, when a user in Kazakhstan installs the root certificate provided by their ISP, they are choosing to trust a CA that doesn\u2019t have to follow any rules and can issue a certificate for any website to anyone. This enables the interception and decryption of network communications between Firefox and the website, sometimes referred to as a Monster-in-the-Middle (MITM) attack.<\/p>\n<p>We believe this act undermines the security of our users and the web, and it directly contradicts Principle 4 of the <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/manifesto\/\">Mozilla Manifesto<\/a> that states, \u201cIndividuals\u2019 security and privacy on the internet are fundamental and must not be treated as optional.\u201d<\/p>\n<p>To protect our users, Firefox, together with Chrome, will block the use of the Kazakhstan root CA certificate. This means that it will not be trusted by Firefox even if the user has installed it. We believe this is the appropriate response because users in Kazakhstan are not being given a meaningful choice over whether to install the certificate and because this attack undermines the integrity of a critical network security mechanism.\u00a0 When attempting to access a website that responds with this certificate, Firefox users will see an error message stating that the certificate should not be trusted.<\/p>\n<p>We encourage users in Kazakhstan affected by this change to research the use of virtual private network (VPN) software, or the <a href=\"https:\/\/www.torproject.org\/download\/\">Tor Browser<\/a>, to access the Web. We also strongly encourage anyone who followed the steps to install the Kazakhstan government root certificate to remove it from your devices and to immediately change your passwords, using a strong, unique password for each of your online accounts.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Russian translation: \u0415\u0441\u043b\u0438 \u0432\u044b \u0445\u043e\u0442\u0438\u0442\u0435 \u043e\u0437\u043d\u0430\u043a\u043e\u043c\u0438\u0442\u044c\u0441\u044f \u0441 \u044d\u0442\u0438\u043c \u0442\u0435\u043a\u0441\u0442\u043e\u043c \u043d\u0430 \u0440\u0443\u0441\u0441\u043a\u043e\u043c \u044f\u0437\u044b\u043a\u0435, \u043d\u0430\u0436\u043c\u0438\u0442\u0435 \u0437\u0434\u0435\u0441\u044c. Kazakh translation: \u0411\u04b1\u043b \u043f\u043e\u0441\u0442\u044b\u043d\u044b \u049b\u0430\u0437\u0430\u049b \u0442\u0456\u043b\u0456\u043d\u0434\u0435 \u043c\u044b\u043d\u0430 \u0436\u0435\u0440\u0434\u0435\u043d \u043e\u049b\u044b\u04a3\u044b\u0437. In July, a Firefox user informed Mozilla &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2019\/08\/21\/protecting-our-users-in-kazakhstan\/\">Read more<\/a><\/p>\n","protected":false},"author":1574,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45538],"tags":[45499],"coauthors":[320076],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Protecting our Users in Kazakhstan - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2019\/08\/21\/protecting-our-users-in-kazakhstan\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Wayne Thayer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/08\/21\/protecting-our-users-in-kazakhstan\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2019\/08\/21\/protecting-our-users-in-kazakhstan\/\",\"name\":\"Protecting our Users in Kazakhstan - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2019-08-21T10:00:49+00:00\",\"dateModified\":\"2019-08-21T17:38:17+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e9d30f6a04fd425b92ce414efb490f7a\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/08\/21\/protecting-our-users-in-kazakhstan\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2019\/08\/21\/protecting-our-users-in-kazakhstan\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/08\/21\/protecting-our-users-in-kazakhstan\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Protecting our Users in Kazakhstan\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e9d30f6a04fd425b92ce414efb490f7a\",\"name\":\"Wayne Thayer\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/9d66cb7b8ff76e006a6f0af6fa7d949a\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2bd1ca829153b238eca5f4da201857f9?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2bd1ca829153b238eca5f4da201857f9?s=96&d=identicon&r=g\",\"caption\":\"Wayne Thayer\"},\"sameAs\":[\"https:\/\/x.com\/wthayer\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Protecting our Users in Kazakhstan - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2019\/08\/21\/protecting-our-users-in-kazakhstan\/","twitter_misc":{"Written by":"Wayne Thayer","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2019\/08\/21\/protecting-our-users-in-kazakhstan\/","url":"https:\/\/blog.mozilla.org\/security\/2019\/08\/21\/protecting-our-users-in-kazakhstan\/","name":"Protecting our Users in Kazakhstan - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2019-08-21T10:00:49+00:00","dateModified":"2019-08-21T17:38:17+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e9d30f6a04fd425b92ce414efb490f7a"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2019\/08\/21\/protecting-our-users-in-kazakhstan\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2019\/08\/21\/protecting-our-users-in-kazakhstan\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2019\/08\/21\/protecting-our-users-in-kazakhstan\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Protecting our Users in Kazakhstan"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e9d30f6a04fd425b92ce414efb490f7a","name":"Wayne Thayer","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/9d66cb7b8ff76e006a6f0af6fa7d949a","url":"https:\/\/secure.gravatar.com\/avatar\/2bd1ca829153b238eca5f4da201857f9?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2bd1ca829153b238eca5f4da201857f9?s=96&d=identicon&r=g","caption":"Wayne Thayer"},"sameAs":["https:\/\/x.com\/wthayer"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2482"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1574"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2482"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2482\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2482"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}