Originally published at: https://tidbits.com/2019/08/21/apple-google-and-mozilla-team-up-to-block-kazakhstani-surveillance/
The major browser makers—Apple, Google, and Mozilla—have all taken measures to block an attempt by the Kazakhstani government to spy on its citizens.
Are we watching the next form of government evolving? We’ve tried tribal, religious, national. Now corporate? They have all been covered by SciFi authors.
Yeah, it really does feel like we’re entering a sci-fi novel in some ways.
I had an interesting experience a few years ago in a country that shall remain nameless, but is geopolitically close to Kazakhstan.
We were using OpenDNS for all our upstream resolution. One day the staff complained to me that the internet wasn’t working. I quickly discovered that the ISP had blocked OpenDNS. We took the matter up with them and was told that they had received a higher ruling that all DNS resolution had to be in country and we must switch to using their DNS servers. Does this smell like a desire to poison caches? We subsequently set up dnscrypt to access OpenDNS over port 443. It lasted a few months, but eventually they sniffed that out and blocked all access to OpenDNS’s IP addresses.
Some time later I was talking with an ex-pat from another firm. He was having trouble with Gmail. Sometimes Chrome would refuse to connect to his Gmail account, but he would have no trouble connecting right away with Firefox or IE. Chrome performs certificate pinning and will block anything but the correct Google certificates. So this pretty much confirmed that the government of that country had the ability to generate SSL certificates that Firefox and IE would trust.
Surely the SSL certificate system is fundamentally flawed when these corporations get to decide which governments have access to trusted root certificates.
Oh, that’s fascinating. I wonder how Safari would work in such a situation?
It depends on what root certificates Apple has included. @epi’s Gmail example is fundamentally the same as the Kazakhstan story, Safari probably had the same root certificates as the other browsers. Heck, Chrome probably had the certificate as well but since Google makes both Chrome and Gmail, Chrome didn’t have to trust its store of root certificates (which can include certificates that enable such spoofing), for Gmail it only trusts the exact certificate Chrome expects for that site.
Certificate pinning was a fad for a while but it doesn’t scale; it can still be worth doing by those who control the browser and have critical servers (e.g. Apple could use certificate pinning to make sure Safari only visits a site like iCloud.com).
Safari uses the OS’s store of root certificates found in Keychain Access.app under System Roots. As far as I know, other browsers on macOS don’t use the System Roots, they maintain their own within the browser application; you can see Firefox’s by going to Preferences > Privacy & Security, and clicking the View Certificates button to open the Certificate Manager. Firefox root certificate lists are also published on the web.
On iOS, I don’t know if 3rd party browsers maintain their own root certificate stores or if they have to use the iOS root certificates just as they have to use Apple’s WebKit rendering. I think any app can use certificate pinning to prevent rogue certificate authorities spoofing the servers those apps connect to.
While I don’t agree with what Kazakhstan was trying to do, I do find it a bit tough and ironic that they are being punished for trying somewhat transparently to do what perhaps half the governments of the world (and many major businesses) can already non-transparently accomplish. And it is the complicity of those corporations who have now punished Kazakhstan who allow those other governments to do this.
Who is it really who determines what certificates are in the trust stores of our browsers and systems? They are deciding for me who I have to trust, and it is anything but transparent. I know I can alter the trust settings on my Mac in Keychain Access. And I have on occasion done this. But trying to find out who the CAs are behind these certificates are and why they are necessary is impossible. And on iOS it is totally impossible to even look at the list of certificates, let alone alter the trust settings.
I like the idea of certificate pinning and really wish there was a Safari plugin that would keep a database of certificates I have seen and tell me when the certificate has changed. This would be especially valuable for online banking and other payment sites. I run a manual system of checking the SHA signatures of the certificates before each login. I would not be at all surprised to find that Safari is pinning the certificates for iCloud, but then again, it’s not that long ago that Safari was in the wild with a bug that prevented it from checking certificates at all.