Apple, Google and Mozilla have decided to ban the root certificate which the Kazakhstan government has been using in the last month to spy on its citizens’ web traffic.
Now Chrome, Firefox, and Safari will show errors if the HTTPS web traffic is encrypted with the Kazakh government’s root or leaf certificates.
This synchronized act by the tech companies makes sure of the safety of Kazakh users who were forced by their local Kazakh ISPs to install this certificate by threatening them of not being allowed to use the internet otherwise.
The Kazakh government has issued a decree following which the Kazakh ISPs forced their customers to install the government’s root certificate. According to the government this measure was “aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats.”
But in reality, the Kazakh government misused this root certificate that has been installed in millions of user’s browsers to intercept and decrypt HTTPS traffic the users were making to 37 domains, like Facebook, Google, Twitter, Instagram, and YouTube.
However, the government officials have deserted this plan in early August without any clarification, after intercepting HTTPS traffic for more than three weeks.
Nur-Sultan (formerly Astana) officials states that the whole scheme was just a test, and the local ISPs stopped forcing Kazakh users into installing the government’s root certificate.
But the certificate which was installed in millions of browsers used by Kazakh home users and companies still remained in it.
When the government’s root certificate is banned by the Chrome, Firefox, and Safari, they make sure that the Kazakh government won’t be able to secretly exploit the certificate at any time in the future or continue their web surveillance program.
According to an Apple spokesperson, the company has taken strict measures to make sure that the certificate is not trusted by Safari and the users are protected from this issue.
Parisa Tabriz, Senior Engineering Director on Google Chrome assured that they would not permit any efforts by any organization to compromise Chrome users’ data and that they have implemented protections from this specific issue.
Each company will establish a technical solution distinctive for their browser, but, in effect, both browsers won’t trust the Kazakh’s government’s root certificate even if the user still has it installed. The Kazakh users are advised to remove the certificate if they have installed it earlier.