Home Books Training Newsletter Resources
Sign up Log in

Bulletproof TLS Newsletter

55

Kazakhstan intercepts TLS traffic

30 July 2019

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.

In Kazakhstan, Internet connections via HTTPS are partly intercepted. According to various reports, providers in the central Asian country have asked their customers to install a special root certificate in their browsers that enables the interception. This first became known to a wider audience due to a bug report in Mozilla’s bug tracker. Mozilla hasn’t yet decided how to react, but several users have asked Mozilla to block the certificate in question.

A report published by the Censored Planet organization includes technical details about the interception. According to the report, the interception only happens on certain domains, which include several Google services, Facebook, Twitter, and several hosts of the Russian social network VK.

Reports about Kazakhstan trying to intercept user traffic this way aren’t new. In 2015, a message appeared on the web page of Kazakhtelecom asking users to install a root certificate. However, shortly afterward the message disappeared and it seemed the government had given up on its plans for a few years.

The technique of using manually installed root certificates to intercept HTTPS traffic isn’t unusual, although it’s controversial. Many security products used in larger companies operate the same way to analyze user traffic.

Subscribe to the Bulletproof TLS Newsletter

This subscription is just for the newsletter; we won't send you anything else.

Short news

  • An invalid curve was found in the AMD Secure Encrypted Virtualization (SEV) platform.
  • NSS has released version 3.44.1, with mostly minor bug fixes.
  • Mozilla has published an updated version 5.0 of its Security/Server Side TLS configuration guide.
  • Joseph Birr-Pixton, the developer of rustls, has published benchmark results comparing the performance of rustls to OpenSSL.
  • A research paper analyzes the privacy properties of the TLS 1.3 handshake.
  • Both Mozilla and Google have announced that they will distrust certificates from the DarkMatter certificate authority. As we reported in a previous newsletter, there were concerns about the company due to media reports about DarkMatter helping the government of the United Arab Emirates to attack dissidents.
  • MatrixSSL 4.2.1 fixes an out-of-bounds read vulnerability in the ASN1 parser.
  • Mozilla announced that starting with Firefox 68, camera and microphone permissions on web pages will need HTTPS. This is part of a larger trend in which browsers grant certain powerful features only to HTTPS pages.
  • The company Airo has reported about a software package called PremierOption from Comscore that installs a local root certificate that is the same on all affected systems in order to analyze traffic. This method of locally installing a root certificate makes the system vulnerable to attacks because attackers can extract the private key from the software. The vulnerable software comes bundled with other software packages; the report lists BitLord, a BitTorrent client, as an example.
  • Koen Rouwhorst reports that the Amazon Music app was using a local HTTPS server with a valid certificate and the private key bundled in the software. This is a common pattern; we published detailed background information on this topic in an earlier newsletter.
  • A research paper analyzes the performance costs of DNS over HTTPS (DoH) and DNS over TLS (DoT).
  • Revssl is a script to create a TLS-encrypted reverse shell with OpenSSL.

Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.

Remote and trainer-led, with small classes and a choice of timezones.

Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.

Find out More

THE FINEST IN TLS
AND PKI EDUCATION
@feistyduck

Books

  • Bulletproof TLS and PKI
  • ModSecurity Handbook
  • OpenSSL Cookbook

Training

  • Practical TLS and PKI

Resources

  • Bulletproof TLS Newsletter
  • SSL/TLS and PKI History
  • Archived Books
  • Bulletproof TLS Guide

Company

  • Support
  • Website Terms of Use
  • Terms and Conditions
  • Privacy Policy
  • About Us