Root certificate are the cornerstone of authentication and security in software and on the internet. They are issues by a certified authority (CA) and essentially verify that the software/website owner is who they say they are.
In 2019, news outlets reported that the Kazakhstan government has taken extreme steps to surveil citizens in its country. For this aim, the government has been using a tool which is called a root certificate. Actually, this tool has been used to spy on the online activities of citizens.
In fact, you as an internet user should be aware of how security tools can be misused. However, the misuse of root certificates isn’t only a problem in Kazakhstan. These security tools makes your privacy in danger and compromise your collected data about the sites that you visit and the messages that you send online.
What a Root Certificate Is
While browsing in websites like Underspy, you will see the URL starts with https instead of http. Also, an icon which looks like a lock is visible next to the URL in the address bar.
Now with this encryption, data passed between you and the website is secure. When you browse a website with the mentioned features, you can be sure that the site you are accessing is the one it says it is and not an imposter site trying to steal you data.
To get that lock symbol which users can trust, site owners pay an organization called a Certificate Authority (CA) to verify them. When a CA verifies a site is authentic, it issues a security certificate. The developers of web browsers like Firefox and Chrome keep a list of trusted CAs whose certificates they accept.
So when you visit a site like Underspy, your browser finds the certificate, verifies it comes from a trusted CA, and displays the secure site.
A root certificate is the highest level of security certificate available. It is important because this “master certificate” verifies all the certificates below it. This means the security of the root certificate determines the security of an entire system. Developers uses root certificates for many valid reasons.
However, when a government or other entity misuses root certificates, they can install spyware on encrypted communications and access private data.
How Root Certificates Is Misused by the Government in Kazakhstan?
In July 2019, the government of Kazakhstan issued an advisory to internet Service Providers (ISPs) in the country. The government said the ISPs had to make installation of a government-issued root certificate mandatory for users to access the internet. The government-issued certificate is called “Qaznet” and is described as a “national security certificate”. ISPs dutifully directed their customers to install the certificate if they wanted to access the internet.
Once the certificate is installed, the government can use it to intercept a huge amount of browsing data. The government can see activity on popular sites like Google, Facebook, and Twitter. It can even decrypt HTTPS and TLS connections, and access account usernames and passwords.
This means that no site is secure if the certificate is installed. The government is essentially launching a “man in the middle” attack on the entire country, according to security blog The Hacker News. Because the ISPs make the certificate mandatory, there is no way for users to easily avoid it if they want to continue accessing the internet.
Furthermore, people can only install the certificate over a non-HTTPS connection. A person must use a less secure HTTP connection to install the certificate. And hackers could intercept this process to install their own damaging certificate instead.
What to Do about the Misuse of Root Certificate as a User?
The misuse of root certificates is obviously worrying. But what can you actually do about it as a user? Firstly, if you are in Kazakhstan you should not install the certificate onto your device. If you have already installed it, uninstall it immediately. You should also change the passwords to all your online accounts. This will prevent the government from accessing your browsing data.
If you live in a country with high levels of internet surveillance, you should be on the lookout for dubious certificates. If you are asked to install a security certificate, you should research whether it is trustworthy before installing it on your device.
You should also take other steps to protect your data. You should use a VPN to shield you from surveillance. Also consider using the Tor browser to access the internet anonymously. Be careful with email as well, as it is very difficult to protect email messages from surveillance. Consider using a secure messaging app like Signal or Telegram instead.
How Technology Companies Respond to Invasive Root Certificate
Google, Apple, and Mozilla that are technology companies have responded to the situation in Kazakhstan. They have pledged to protect users against government surveillance. The Google Chrome browser now blocks the certificate used by the Kazakhstan government, according to a blog post.
Google has taken this action “to protect users from the interception or modification of TLS connections made to websites.” Users don’t need to take any actions to be protected. The browser will automatically block this particular certificate.
Similarly, Mozilla has deployed a solution to its Firefox browser. This solution will also block the certificate used by the Kazakhstan government. The company announced the fix with a senior engineer at the company stating, “We don’t take actions like this lightly, but protecting our users and the integrity of the web is the reason Firefox exists.” Working in conjunction with Chrome, Firefox will automatically apply the block.
Mozilla also mentioned past instances of attempts by the Kazahkstan government to intercept internet traffic. This includes a previous unsuccessful attempt to include a root certificate in the Mozilla’s trusted root store program in 2015.
How to Remove Certificates You Don’t Need or Trust?
Using signing certificates gives criminals a lot of options to bypass system protection mechanisms, which is why you might want to remove those from your machine. There is also a test site where you can check if any of the software programs that are open to an MitM attack are active on your system.
In order to delete a trusted root certificate you need to follow the steps below:
- At first, you need to open the certificates snap-in for a user, computer, or service. By running certmgr.msc from your Run/Searchprograms box or from a command prompt you can do this.
- Then you should select Trusted Root Certification Authorities.
- Under this selection, you need to open the certificates store.
- On the right-hand side in the details pane, you need to select the line of the certificate that you want to delete. In order to select the multiple certificates, hold down control and click each certificate.
- Here you need to right click the selection you made and in the action menu click the delete button.
- In this part, if you are completely sure that you want to permanently delete the certificate, confirm your choice by clicking yes.
It is noteworthy that user certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions. By exporting the certificate, you might want to back up it before its deletion.
The Final Thought
Since root certificates are intended to heighten security, it should be clear to those issuing them that they should be treated as such, and not as something that they can install whenever it suits their needs.
The situation in Kazakhstan that we have mentioned above is just one example of how government can spy on their society and citizens through their internet activities. You should learn about how governments and companies can deploy surveillance techniques so you can try to avoid them.
In fact, this is only a problem in other countries, remember that places like the US and the UK have a history of spying on their citizens as well.