What you need to know
- Browser makers are blocking a root certificate Kazakhstan ISPs were forced to install to spy on citizens.
- Google, Mozilla, and Apple are all blocking the certificate.
- This protects users of Safari, Chrome, and Firefox from the certificate.
ISPs in Kazakhstan were forced to install a root certificate that allowed the government to effectively spy on their citizens by breaking HTTPS encryption and monitoring what web pages they went to and what information was being sent back and forth.
Apple, which makes the Safari browser pre-installed on Macs, iPhones, and iPads; Mozilla, which makes Firefox; and Google, which makes Chrome, the browser for PCs, ChromeOS and Android, have all now moved to ban that certificate. There's no word if Microsoft has put a similar block in place for Edge yet.
Apple sent me the following statement:
Apple believes privacy is a fundamental human right, and we design every Apple product from the ground up to protect personal information. We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue.
ZDNet also has statements up from Google and Mozilla.
"We will never tolerate any attempt, by any organization—government or otherwise—to compromise Chrome users' data. We have implemented protections from this specific issue, and will always take action to secure our users around the world," said Parisa Tabriz, Senior Engineering Director on Google Chrome.
"People around the world trust Firefox to protect them as they navigate the internet, especially when it comes to keeping them safe from attacks like this that undermine their security. We don't take actions like this lightly, but protecting our users and the integrity of the web is the reason Firefox exists," said Marshall Erwin, Senior Director of Trust and Security at Mozilla.
From now on, Safari, Firefox, and Chrome will throw up errors if and when they encounter the Kazakh root certificate. And good for them. Once any government starts to sink its surveillance fangs into core internet technology, and breaks the encryption fundamental to not only privacy but security, all governments and enterprises, fearful and malevolent, will follow.
It's much easier to stop it before it starts.