Browser manufacturer Mozilla has teamed up with Google, Apple and Microsoft to jointly block a root certificate from the government of Kazakhstan. With this certificate for web browsers, the country wants to redirect, decrypt and monitor the encrypted Internet data traffic of its citizens. It is the second time that the four browser manufacturers have excluded such a government certificate from use in the Central Asian country.

HTTPS data redirected At the beginning of December, the Kazakh government wanted all Internet users in the capital Nur-Sultan (formerly Astana) to have the official (but insecure) root for numerous popular websites – to use the certificate of the country that had to be installed in the browser for this. The ban affected websites such as Twitter and Google and had to be implemented by the country’s Internet service providers. This would have diverted and read out HTTPS data traffic – in fact a man-in-the-middle attack. In addition, unnoticed manipulation of the content would have been possible.

On Friday, however, the four browser manufacturers got together and banned the certificate from their browsers as unsafe. Chrome, Edge, Mozilla and Safari no longer accept it, reports ZDnet. Those who installed the certificate will now see an error message in the browser instead of a website indicating that the certificate is not trustworthy. Mozilla also has a bug tracker entry for this.

Already three attempts to obtain a government monitoring certificate This is Kazakhstan’s third attempt to monitor the country’s Internet traffic. Already 2015 and 2019 the government wanted a Root Certificate Authority (Root-CA) from Mozilla as a be included in the browser in a trustworthy manner. The Mozilla Foundation refused. 2019 Citizens should also install a TLS certificate in order to access certain websites. This was also blocked by the most important browser manufacturers back then.

This measure is justified with “protection” against hackers and fraudsters who are allegedly targeting the Internet in Kazakhstan – against which a browser certificate does nothing, of course can, especially not if it actually undermines secured HTTPS traffic. In addition, it was already said 2019, the government wants to prevent citizens from “viewing illegal content”.

(tiw)