[perpass] Kazakhstan to MITM all SSL traffic on January 1st, 2016

Yakov Shafranovich <yakov@shaftek.biz> Thu, 03 December 2015 13:43 UTC

Return-Path: <yakov@shaftek.biz>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDBC01A879E for <perpass@ietfa.amsl.com>; Thu, 3 Dec 2015 05:43:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.279
X-Spam-Level:
X-Spam-Status: No, score=-1.279 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SNWZT8elDiQv for <perpass@ietfa.amsl.com>; Thu, 3 Dec 2015 05:43:46 -0800 (PST)
Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D8EB1A8794 for <perpass@ietf.org>; Thu, 3 Dec 2015 05:43:46 -0800 (PST)
Received: by oiww189 with SMTP id w189so48705708oiw.3 for <perpass@ietf.org>; Thu, 03 Dec 2015 05:43:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shaftek-biz.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:content-type :content-transfer-encoding; bh=zjUx8jtRRPZfgXpHJFGCliOF3xzv2SxgwbO3WQThp28=; b=kmaDGlmJa+hCLrrNVF1LfBHnx8Q+8ureSPaTn1kaGmEFBCClbBHUnxeazYEXL3rMSC Yr8on+vhe5IdCe55fZy9SOt0C2q9Qd7gSk/gcdd99QKSnsE4yZe4E/mOy0p1hCTORUzV KfKqJ7uiQp70dVw7p1xKJGnAqplICTad1JpjUY6lxs+O9qiu3Ql6X0QjcyH0cwXSKMbZ 3YXtZ6H5wXTN5mwZhc5BYmdzn3B2lvGRttwjaVycptYZelLN81Igmq/HCSJ25SgtlXCN gl7PZvq4rbczjS7GgG7lZobdWUFvnUsaFz+7JFfnCsYoZfQeImIAMgesCN5fKi9L6OoR zDiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type:content-transfer-encoding; bh=zjUx8jtRRPZfgXpHJFGCliOF3xzv2SxgwbO3WQThp28=; b=K7lH/qgQ6tKBGvmDADnDAFhjaV9GDXr5GzbhvBG/sjQ67T8fLvQKephmKzkevRCbUl 02NhR691QgWpMVPVKXqljwXUyuneQkLAWAGoCuQ4eSWqpmLrLWMLEQ7945ae5eYX+bWC L+q4NfOboTwnOjKq5Aq1mscYeioMmSZSNopBaoS+W+4pfJb7TinUFcUiubRNGNAKMNHU 1S2KR+ueVu8Ann7nLSQJqFSFpwHJMX4VzEzslnzA2UQ+MFE1OKY4uWi5LRig6WBDVkuM a9+LEn2H5kGR8qHKJrLsN2AWrspPPHej+rSxvlHIQ7g7AF8CT2DMlDGtmJXbPWEuX+N+ JGTA==
X-Gm-Message-State: ALoCoQltyYrN4/KesxFEB6yt2uJtqedU6/NpXu7pfXN5ZTj/cqE47fD/KvL1pwdnvXRyA5C4YhCl
X-Received: by 10.202.205.146 with SMTP id d140mr7330731oig.1.1449150225865; Thu, 03 Dec 2015 05:43:45 -0800 (PST)
MIME-Version: 1.0
Received: by 10.202.91.9 with HTTP; Thu, 3 Dec 2015 05:43:02 -0800 (PST)
X-Originating-IP: [108.15.50.95]
From: Yakov Shafranovich <yakov@shaftek.biz>
Date: Thu, 3 Dec 2015 08:43:02 -0500
Message-ID: <CAF5Urx8A6KAeWqmV6Abn79nPGeUsiJb-puKid7kDzTPrO-PKVg@mail.gmail.com>
To: perpass@ietf.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/perpass/FormT3p85UREp1l5o4IbVQK1vwg>
Subject: [perpass] Kazakhstan to MITM all SSL traffic on January 1st, 2016
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2015 13:45:59 -0000

This is being done via a "national" SSL certificate.

Original post has been taken down, archived version here:
https://web.archive.org/web/20151202203337/http://telecom.kz/en/news/view/18729

Hacker News:
https://news.ycombinator.com/item?id=10663843

Text:
-----
Kazakhtelecom JSC notifies on introduction of National security
certificate from 1 January 2016

>From 1 January 2016 pursuant to the Law of the Republic of Kazakhstan
«On communication» Committee on Communication, Informatization and
Information, Ministry for investments and development of the Republic
of Kazakhstan introduces the national security certificate for
Internet users.

According to the Law telecom operators are obliged to perform traffic
pass with using protocols, that support coding using security
certificate, except traffic, coded by means of cryptographic
information protection on the territory of the Republic of Kazakhstan.

The national security certificate will secure protection of Kazakhstan
users when using coded access protocols to foreign Internet resources.

By words of Nurlan Meirmanov, Managing director on innovations of
Kazakhtelecom JSC, Internet users shall install national security
certificate, which will be available through Kazakhtelecom JSC
internet resources. «User shall enter the site www.telecom.kz and
install this certificate following step by step installation
instructions”- underlined N.Meirmanov.

Kazakhtelecom JSC pays special attention that installation of security
certificate can be performed from each device of a subscriber, from
which Internet access will be performed (mobile telephones and tabs on
base of iOS/Android, PC and notebooks on base of Windows/MacOS).

Detailed instructions for installation of security certificate will be
placed in December 2015 on site www.telecom.kz.

PR department
Kazakhtelecom JSC

30.11.2015
-----