New issue
Advanced search Search tips

Issue 622001 link

Starred by 1 user
Status: WontFix
Owner:
rsleevi@chromium.org
Closed: Sep 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment

telecom.kz asks user to install root certificate (MitM valnurability)

Reported by ibmpc.ma...@gmail.com, Jun 21 2016 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Steps to reproduce the problem:
Kazakhstan ISP ask users to install trusted certificate on all devices used by end user which allow them do MitM attacks. They even say "If you not install this certificate sites like Google, Mail.ru may not work"

Original post (asks to install certificate and provide instructions):
http://telecom.kz/certificate 

What is the expected behavior?
This certificate should be banned to prevent end users data leak and maintain privacy.

What went wrong?
Major Kazakhstan ISP asks users to add trusted certificate to all devices they use. Which is really bad for privacy.

Did this work before? N/A 

Chrome version: 51.0.2704.103  Channel: stable
OS Version: 
Flash Version: Shockwave Flash 22.0 r0

Original post is in Russian. I attached certificated to this report, it also available on original post page.
Сертификат Gamma_RSA.cer
1.0 KB Download

Comment 1 by dominickn@chromium.org, Jun 21 2016

Owner: rsleevi@chromium.org
Thanks for reporting. Unfortunately, I believe this is a new government policy in Kazakhstan where all internet users are required to install a "national security certificate". See http://www.theatlantic.com/technology/archive/2015/12/kazakhstans-new-encryption-law-could-be-a-preview-of-us-policy/419250/ for example.

+rsleevi - I don't think we can do anything about this since it's government policy?

Comment 2 by rsleevi@chromium.org, Jun 22 2016

Components: Internals>Network>Certificate
Labels: -OS-Linux OS-All
ACKing this bug. I'll follow-up offline dominick

Comment 3 by ibmpc.ma...@gmail.com, Jun 22 2016 

I believe we developers and technical specialists can do something against this because if we will not, this new idea of national certificates will rise and make internet a lot less secure. Moreover this possibility of decryption users private data can be used not only by government, it's big valnursbility. As I believe browsers should add all this kind of certificates to internal ban list and do not trust them and keep adding any new certificates.
Project Member

Comment 4 by ClusterFuzz, Jun 22 2016

Status: Assigned (was: Unconfirmed)

Comment 5 by rsleevi@chromium.org, Jun 23 2016

Status: ExternalDependency (was: Assigned)
The page now returns 404.

Marking ExternalDependency, because there's nothing I can share at the present.

Comment 7 by rsleevi@chromium.org, Sep 1 2016

Status: WontFix (was: ExternalDependency)
Cleaning out stale bugs. Not because I don't care, but because there's nothing we're really going to be able to share on this bug anyways :)
Project Member

Comment 8 by sheriffbot@chromium.org, Dec 8 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment