research-article

Open access

Investigating Large Scale HTTPS Interception in Kazakhstan

Authors:

Roya EnsafiAuthors Info & Claims

IMC '20: Proceedings of the ACM Internet Measurement Conference

Pages 125 - 132

https://doi.org/10.1145/3419394.3423665

Published: 27 October 2020 Publication History

PDF eReader

Abstract

Increased adoption of HTTPS has created a largely encrypted web, but these security gains are on a collision course with governments that desire visibility into and control over user communications. Last year, the government of Kazakhstan conducted an unprecedented large-scale HTTPS interception attack by forcing users to trust a custom root certificate. We were able to detect the interception and monitor its scale and evolution using measurements from in-country vantage points and remote measurement techniques. We find that the attack targeted connections to 37 unique domains, with a focus on social media and communication services, suggesting a surveillance motive, and that it affected a large fraction of connections passing through the country's largest ISP, Kazakhtelecom. Our continuous real-time measurements indicated that the interception system was shut down after being intermittently active for 21 days. Subsequently, supported by our findings, two major browsers (Mozilla Firefox and Google Chrome) completely blocked the use of Kazakhstan's custom root. However, the incident sets a dangerous precedent, not only for Kazakhstan but for other countries that may seek to circumvent encryption online.

Supplementary Material

MP4 File (imc2020-590-long.mp4)

On July 17, 2019, the Republic of Kazakhstan began intercepting a large fraction of HTTPS traffic within the country using a custom root CA. In this presentation of the paper ?Investigating Large Scale HTTPS Interception in Kazakhstan?, Ram Sundara Raman from the University of Michigan presents an investigation into the interception that critically weakens Internet security for Kazakh Internet users. Conducting measurements from inside Kazakhstan and from the US, the authors were able to track the scale and evolution of the interception, and pinpoint its location within AS 9198, Kazakhtelecom. At least 37 social media related domains were affected by the interception, including domains related to Google, Facebook and Mail.ru. The pilot test of the interception lasted for 21 days, and major browser vendors Mozilla, Google, and Apple consequently blocked the use of the custom CA in their browsers in order to protect the security of users from Kazakhstan.

Download
53.62 MB

MP4 File (imc2020-590-short.mp4)

Download
14.98 MB

References

[1]

J. Aas, R. Barnes, B. Case, Z. Durumeric, P. Eckersley, A. Flores-López, J. A. Halderman, J. Hoffman-Andrews, J. Kasten, E. Rescorla, S. Schoen, and B. Warren. Let's Encrypt: An automated certificate authority to encrypt the entire web. In ACM Conference on Computer and Communications Security (CCS), 2019.

Abstract

Supplementary Material

References

Cited By

Index Terms

Recommendations

HTTPS: a Phishing Attack in a Network

To Intercept or Not to Intercept: Analyzing TLS Interception in Network Appliances

Man-in-the-Middle Attack to the HTTPS Protocol

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations