Apple, Google, and Mozilla block Kazakhstan's HTTPS intercepting certificate

Kazakhstan government's root certificate banned inside Chrome, Firefox, and Safari.
Written by Catalin Cimpanu, Contributor
Mockup: Jake Smith

Apple, Google, and Mozilla have moved in to ban a root certificate the Kazakhstan government used in the past month to spy on its citizens' web traffic.

Starting today, Chrome, Firefox, and Safari will show errors if any HTTPS web traffic is encrypted with the Kazakh government's root or leaf certificates.

This coordinated action will ensure the safety of Kazakh users who were forced last month by their local Kazakh ISPs to install this certificate under the threat of not being allowed to use the internet otherwise.

Kazakh ISPs forced their customers to install the government's root certificate after the Kazakh government issued a decree and said the measure was "aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats."

But in reality, the Kazakh government abused this root certificate installed in millions of users browsers to intercept and decrypt HTTPS traffic users were making to 37 domains, such as such Facebook, Google, Twitter, Instagram, and YouTube.

Kazakhstan stopped surveillance scheme earlier this month

Government officials abandoned this plan in early August without any explanation, after intercepting HTTPS traffic for more than three weeks.

Nur-Sultan (formerly Astana) officials said the entire scheme was only a test, and local ISPs soon stopped forcing Kazakh users into installing the government's root certificate.

However, the certificate has remained installed in millions of browsers used by Kazakh home users and companies.

By banning the government's root certificate in Chrome, Firefox, and Safari, the three browser vendors are making sure the Kazakh government won't be able to secretly utilize the certificate in the future and restart its web surveillance program when things quiet down and everyone's attention and scrutiny has moved to other things.

"Apple believes privacy is a fundamental human right, and we design every Apple product from the ground up to protect personal information," an Apple spokesperson told ZDNet. "We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue."

"We will never tolerate any attempt, by any organization—government or otherwise—to compromise Chrome users' data. We have implemented protections from this specific issue, and will always take action to secure our users around the world," said Parisa Tabriz, Senior Engineering Director on Google Chrome.

"People around the world trust Firefox to protect them as they navigate the internet, especially when it comes to keeping them safe from attacks like this that undermine theirsecurity. We don't take actions like this lightly, but protecting our users and the integrity of the web is the reason Firefox exists," said Marshall Erwin, Senior Director of Trust and Security at Mozilla.

Each company will deploy a technical solution unique to its browser, but, in effect, both browsers won't trust the Kazakh's government's root certificate even if the user still has it installed. Nevertheless, Kazakh users are advised to remove the certificate if they previously installed it.

Updated on August 21, 6:50am ET, with statement from Apple's on the company's decision to ban the Kazakhstan government's root certificate in Safari as well. Title updated accordingly.

Say hello to the early days of web browsers

Related cybersecurity coverage:

Editorial standards