TLS MITM in Kazakhstan, again

[wkrp]

On 2020-12-05, the government of Kazakhstan announced an "exercise" and told people they would have had to install a root TLS certificate in order to access certain foreign web sites. The next day, users in the capital city of Nur-Sultan reported TLS man-in-the-middle attacks. The situation is very similar to what happened in July of last year.

https://www.gov.kz/memleket/entities/mdai/press/news/details/132113?lang=ru (archive)

О проведении учений «Информационная безопасность Нур-Султан - 2020»

Министерство цифрового развития, инноваций и аэрокосмической промышленности Республики Казахстан совместно с Комитетом национальной безопасности Республики Казахстан сообщает о предстоящих учениях в г.Нур-Султан «Кибер-безопасность Нур-Султан-2020» с 6 декабря 2020 года.

В текущем году в связи пандемией и переходом на дистанционные формы работы участились кибератаки на цифровое пространство страны.

В частности, в 2020 году по сравнению с аналогичным периодом прошлого года количество кибератак в казахстанском сегменте Интернет выросло почти в 2,7 раз.

К защите от киберугроз будут привлечены Национальный координационной центр информационной безопасности и система «Киберщит Казахстана», Центр анализа и расследования кибер атак (ЦАРКА), а также силы и средства оперативных центров информационной безопасности КВОИКИ и операторов связи, подразделений по обеспечению информационной безопасности государственных органов и частных компаний.

В период проведения киберучений возможно возникновение различных проблем с доступом к некоторым зарубежным интернет-ресурсам, которые могут быть устранены путём установки сертификата безопасности.

Для получения детальной информации по его установке необходимо обращаться к операторам связи на их официальные интернет-ресурсы и в службы технической поддержки.

On conducting the exercise "Information Security Nur-Sultan - 2020"

The Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan jointly with the National Security Committee of the Republic of Kazakhstan reports on the upcoming exercise in Nur-Sultan "Cyber Security Nur-Sultan-2020" from December 6, 2020.

This year, due to the pandemic and the transition to remote forms of work, cyber attacks on the country's digital space have become more frequent.

In particular, in 2020, compared to the same period last year, the number of cyber attacks in the Kazakh Internet segment increased by almost 2.7 times.

The National Coordination Center of Information Security and the "Cyber Shield of Kazakhstan" system, the Center for Analysis and Investigation of Cyber Attacks (TSARKA), as well as forces and means of operational centers of information security of KVOIKI and telecommunications operators, information security units of state bodies and private companies will be involved in protection against cyber threats.

During cyber exercises it is possible that different problems with access to some foreign Internet resources may occur, which can be eliminated by installing a security certificate.

For detailed information on its installation it is necessary to address to communication operators on their official Internet resources and in technical support services.

Catalin Cimpanu has an article with a screenshot of the message displayed to users of the ISP Beeline:

https://www.zdnet.com/article/kazakhstan-government-is-intercepting-https-traffic-in-its-capital/ (archive)

Starting today, December 6, 2020, Kazakh internet service providers (ISPs) such as Beeline, Tele2, and Kcell are redirecting Nur-Sultan-based users to web pages showing instructions on how to install the government's certificate. Earlier this morning, Nur-Sultan residents also received SMS messages informing them of the new rules.

Kazakhstan users have told ZDNet today that they are not able to access sites like Google, Twitter, YouTube, Facebook, Instagram, and Netflix without installing the government's root certificate.

There's discussion and links in a Bugzilla ticket:

https://bugzilla.mozilla.org/show_bug.cgi?id=1680927 (archive)

06.12.2020 will be exercises on "security". And will be tests with CA from government.
https://www.gov.kz/memleket/entities/mdai/press/news/details/132113?lang=ru (archive) https://www.kcell.kz/ru/product/trust-certificate (archive)
https://www.tele2.kz/support/sertificat (archive)

Cert: https://beeline.kz/binaries/content/assets/cert/information_security_certification_authority_ca_pem.crt (archive)
Test site: https://check.isca.gov.kz/ (archive)

Censored Planet, who thoroughly investigated the MITM in Kazakhstan last year, has started measuring how many vantages in Kazakhstan are showing MITM by the new root certificate. They have also compiled a list of affected domains and found the likely IP addresses of the interception devices. According to my reading of their graph, the MITM was only in effect on 2020-12-06 and stopped happening after that day.

https://censoredplanet.org/kazakhstan/live (archive)

In a repeat of its efforts from July-August 2019, Kazakhstan recently (starting from December 6, 2020) began using a new fake root CA (Information Security Certification Authority CA) to conduct man-in-the-middle (MitM) drills against HTTPS connections to websites including Facebook, Twitter, and Google.

Compared to the previous interception attempt in 2019, we observe through remote measurements that the scale of hosts inside Kazakhstan experiencing the interception has increased from ~7% in 2019 to ~11.5% in 2020. The list of domains targeted is similar to the one in 2019, consisting of Google, Facebook, Twitter, VK and mail.ru domains. Since major browser vendors blocked the use of the Qaznet Root certificate that was used in 2019, a new root CA has been established (ISCA), and the interception system has also seen updates.

Number of Vantages Observing MitM (Out of 7764 measured):

On 2020-12-18, browser vendors added the new MITM certificate to a blocklist to prevent it from being used, even by users who had installed it manually.

https://www.zdnet.com/article/apple-google-microsoft-and-mozilla-ban-kazakhstans-mitm-https-certificate/ (archive)

Browser makers Apple, Google, Microsoft, and Mozilla, have banned today a root certificate that was being used by the Kazakhstan government to intercept and decrypt HTTPS traffic for residents in the country's capital, the city of Nur-Sultan (formerly Astana).

After today's ban, even if users have the certificate installed, browsers like Chrome, Edge, Mozilla, and Safari, will refuse to use them, preventing Kazakh officials from intercepting user data.

Today's ban also marks the second time the four browser makers banned a certificate issued by the Kazakh government for man-in-the-middle (MitM) attacks. They blocked a first one in August 2019, a certificate that was used to intercept traffic for various Russian and English-speaking social media sites.

[wkrp]

I archived the certificate file here: https://archive.org/details/isca-ca-certificate.

Curiously, the outside-in test from #6 (comment) does not appear to work this time. It gives a "mismatched SAN" error, not a "unable to get local issuer certificate" error.

$ dig +short iqala.kz
89.219.16.24
$ curl --verbose --resolve www.facebook.com:443:89.219.16.24 https://www.facebook.com/
...
* Server certificate:
*  subject: CN=api.stopcorona.kz
*  start date: Oct 27 05:48:59 2020 GMT
*  expire date: Jan 25 05:48:59 2021 GMT
*  subjectAltName does not match www.facebook.com
* SSL: no alternative certificate subject name matches target host name 'www.facebook.com'
* Closing connection 0
curl: (60) SSL: no alternative certificate subject name matches target host name 'www.facebook.com'
More details here: https://curl.haxx.se/docs/sslcerts.html

I do not yet see the certificate's SPKI fingerprint (61c0fc2e38b5b6f9071b42cee54a9013d858b6697c68b460948551b3249576a1 EDIT: this was an error, see #56 (comment)) in CRLSet 6313 (compare #6 (comment)):

$ date -u --iso=sec
2020-12-21T01:31:43+00:00
$ ./crlset fetch > crl-set
Downloading CRLSet version 6313
$ ./crlset dumpSPKIs crl-set | grep -i ^61c0

[wkrp]

Центр анализа и расследования кибер атак (ЦАРКА)

the Center for Analysis and Investigation of Cyber Attacks (TSARKA)

I believe this is the same TSARKA that in 2019 claimed credit (archive) for moderating a discussion to end the MITM that was happening then. Currently at https://tsarka.org/press-center (archive) I do not see anything about the current MITM.

[wkrp]

I do not yet see the certificate's SPKI fingerprint (61c0fc2e38b5b6f9071b42cee54a9013d858b6697c68b460948551b3249576a1) in CRLSet 6313 (compare #6 (comment)):

I figured out what was going wrong here.

1. 61c0... is the certificate fingerprint, not the SPKI fingerprint. The SPKI fingerprint is 8e12d0cb3b7df3ea2257579489fd8658c95603ea6cf4b73163a41eb7b7e93fee.
2. The fingerprint is stored in a different field in the CRLSet file. crlset dumpSPKs reads the field BlockedSPKIs, but the ISCA certificate's SPKI fingerprint appears in the field BlockedInterceptionSPKIs.

We find the expected 8e12... fingerprint if we peek into the JSON header of the crl-set file:

{
  "Version": 0,
  "ContentType": "CRLSet",
  "Sequence": 6313,
  "DeltaFrom": 0,
  "NumParents": 189,
  "BlockedSPKIs": ["Jdoa1Yu/z7In2HI7GFfUwY57qnQXtPnv+TZrXoafizk=", "li5LVLuYp+5dX+uWM/mR08MwDpUU2t57DU+CjHlPjoc=", "yP3cdcsb27WMB7TqhHKH9iZlndZrwQomrdm1dbOgo40=", "BN3pqpp59hSYaCMl+ghwJ2cH+5ypU4QSC0aJMmhJT8k=", "tbqN1/iVZMKInT1kU8hJmMd4JJGbZOoINapimGWRvlA=", "wO0gU0a7veButWD1zuAqNjTiR0p+ds+PvvVjuxF90OM=", "eBpM8ukkUvPuAdDDgaQhTzkEFlw5CtvWH80RJE4Jstw=", "/NdsyiNH5c1bOTR/Uc9DZUtpor/JBzZwpr5H2HAebg4=", "lo26afv/Fb83YgiUMa3lp+rUt+rxvnACaBC8V9HGT24=", "fNKVt1VEgIq9lAlGbwg3xarcAuM7YVDGZE3goJZZ8jw=", "9Sk9R+041MMbLULe47WzrOl8omyirANl42Iu6AITH7s=", "nFmjzK6kaZhCsGjPxSz5RdtRmGlXyDLNsYynOEn7ue4=", "OUz/WJ5okxLPwHHuC8Gf5MYGIWzlQ0Kd5tti5C27O8E=", "NuqWEoyJg5+2IfitDh7gucIgb2Kre02ixnZYk8m3ztI=", "xpENC6nt31kzNBSf7f6HOF83tiU1S7Q5XAriyN9I4Xw=", "MO/kE4JHbDOA8C9+I+ZrovhnsFnuHqaHlrRBuFtdElY=", "r1kVGOLmxg67/AkHr6pJvEBR1F5/IUq/7nUS7gD2Ye0=", "6EnHF2yT32X2S2FpgjZuVmMReBK2+ivAyPqK6u5Bgcw=", "0x7DkoW3pTGdAVfbQg7YfHQ+Mzu8d/h3H3BGT0NqYEk=", "h7/Yr6OvW0KdCamqVO5hNk9a4REx5Dj8QQlTQ80WsTU=", "OD4OE3w3v7nbKfmo5F6f+N1MMORA/sKs09untscguZM=", "TNsGDzz+TD0/XjHDAP1oqR4NHl9Gtk5IlfIOG1z4Jp8=", "qbVam1Uxu/fHGh5JIO/nlsK2eWj1Wmzly2IXLtmUW8o=", "2x0T7EKiy6NnO6Z68t74EunDVWZhdXbZW01vrOPvCug=", "oM9T9CJlHjkxeuMa9kV3vkUPo3biie2DQrf8EzxpdBk=", "j1kfeqTcPv6UkMOKRpLJAR7RKPHeWVVpQG13tvofa0w=", "DEPqi83p/DvKFlZkrIIVVn40idU5OgyB4aeRQZkuGVM=", "LcTLWR9+8GY0QWRrz1wOnbze13ygKUUZPO/G7bF0BhQ="],
  "KnownInterceptionSPKIs": null,
  "BlockedInterceptionSPKIs": ["jhLQyzt98+oiV1eUif2GWMlWA+ps9LcxY6Qet7fpP+4="],
  "NotAfter": 1608840408
}

$ echo jhLQyzt98+oiV1eUif2GWMlWA+ps9LcxY6Qet7fpP+4= | base64 -d | hexdump -e '32/1 "%02x""\n"'
8e12d0cb3b7df3ea2257579489fd8658c95603ea6cf4b73163a41eb7b7e93fee

Support for BlockedInterceptionSPKIs was added to Chromium in this commit from 2019-11-21. The documentation for the fields reads:

//   BlockedSPKIs (array of string): An array of Base64 encoded, SHA-256 hashed
//     SubjectPublicKeyInfos that should be blocked.
//   KnownInterceptionSPKIs (array of string): An array of Base64-encoded
//     SHA-256 hashed SubjectPublicKeyInfos known to be used for interception.
//   BlockedInterceptionSPKIs (array of string): An array of Base64-encoded
//     SHA-256 hashed SubjectPublicKeyInfos known to be used for interception
//     and that should be actively blocked.

[ghost]

How if they finally decrypted TLS? Either by "state owned" browser or by calculate private key with an experimental quantum computer. I'm worry about that.