21/7/2019 News / Kazakhstan news

In my opinion, employees of one or several state authorities of the Republic of Kazakhstan are currently committing a crime against the People of Kazakhstan with the assistance of a number of business entities.

21/7/2019 News / Kazakhstan news

No, I haven’t taken any drugs or something. Let’s try to sort out everything.

Well, what is going on? What happens is that we are tricked into committing actions that might lead to a decrease in the level of information security for everyone who will install the so-called «security certificate», which, in turn, will inevitably result in material losses of citizens. How does it qualify in the criminal law? Fraud? It is quite possible, that is to say, it is committed by a group of persons, by previous concert, using their official position for their own ends in a socially dangerous way. And what if all of this is to justify unreasonable expenses previously incurred out of the state budget for the purchase of goods and services, in which case, it might be done to conceal a previously committed crime.

Why fraudulently? Because a part of what is officially said to support the certificate installation is a lie, and nothing has been reported on shortcomings at all.

For those who do not know me: I am neither a political analyst nor a human rights activist, nor a philosopher. I am an ordinary engineer who has got a higher technical education with a specialization in «Protection and Security of Information» and has been applying my knowledge and skills in practice for a little more than 20 years.

So, let’s take, for a start, the comments of Ablaikhan Ospanov, Vice Minister of the Republic of Kazakhstan Ministry of Digital Development, Innovations and Aerospace Industry made by him at the government briefing on July 19. As far as I know, there have been no other official statements from governmental authorities. For the avoidance of doubt, I give a link to the material, from which I obtained some quotations.

The regulation was included in the Communications Law as far back as in 2015. Today, telecom service providers are obliged to provide this opportunity to the public - to download and install a technical security certificate on their devices.

Yes, there are such regulations in the legislation of the Republic of Kazakhstan. They are, in my opinion, ambiguous, but still exist. I’m sure that if the telecom service providers had at least the slightest opportunity not to do legally what they did, they would have used it.

There are good advantages. They will allow you not to visit phishing sites. You know that there are such ones today as part of hacker attacks when you are sent from one site to another where the leak of personal data that you store is possible. This is the same information on your payment cards and all transactions that you conduct.

The national certificate installation will not facilitate the fight against the phishing in any way. And, taking into account the way of introducing it, it can do harm easily. Making such statement, the Vice Minister not only shows his disrespect to the people, since he lies openly, but also casts a slur on the reputation of all the officers of the Ministry where there are still clear heads.

You may install no certificate thereby your Internet will not be disconnected. You’ll have full access.  Let’s see.

Yes, you may install no certificate (so far), the entire Internet will not be disconnected (so far). But there will be no full access. On social networks, some citizens have already posted their screenshots where it is clear that some popular sites do not launch. But even with the installed certificate, sites may fail to launch at the initiative of the site itself or the browser manufacturer. It will be done due to the detection of a spoofed site certificate on the way from the user’s browser to the server. And these are signs of Man-In-The-Middle (MITM, the man in the middle), a hacker attack: when an attacker is on the path of traffic between the source and the recipient of traffic. As a consequence, the attacker gets the opportunity to analyze all such traffic (including passwords, credit card details etc.).

At present, manufacturers of browsers and operating systems are trying to develop an understanding of what to do with what is happening in our country? There are various suggestions: from the conclusion of an undisguised message with the risks of visiting sites to the blacklisting of our national «security certificate». In the latter case, with the installed national «security certificate», sites will stop launching at all.

In addition, the «competent» government body (yes, that’s right, the telecom service providers have no the closing switch) will have the opportunity to block access to any sites if you use encryption (httpss: // at the beginning of the site address) and you have no installed national security certificate. It is almost in the clear in a message distributed by cellular operators:

Failing a security certificate on subscriber devices, some technical restrictions may be imposed on the access to certain Internet resources.

Well, now «for a dessert». In addition to the restriction of access to information, which is «harmful» to you and access to your confidential information, the «competent» government body will have the opportunity to change the information coming from the site to your browser. For example, it can change the word «Ablyazov» to «Ivanov». Or vice versa: let us assume that you send a message, «Who will go with me to the cinema today?» but it will reach the site as «Who will go with me to an unauthorized rally today?»  

Yes, of course, I do not insist that it will definitely happen right now, but the state creates an opportunity to implement it. The fact that it will be used in the future is beyond my doubt. And those will use the above-said who should do it by force of duty, and those who want to illegally enrich themselves at your cost.

It should be noted that security certificates were not invented on July 17, 2019. That was done much earlier. Almost all the security on the Internet is based on them. So you will ask: «What’s the matter? Why is our national «security certificate» poor? At least, this is the mere fact that it is not trusted in accordance with such regulations and rules as accepted on the Internet. In the world, there are several trusted certification authorities, the information on which has been recorded in browsers and operating systems. They were tested appropriately. Our certificate failed to undergo a test and was not put on the list of the trusted ones. Now we are proposed to install (download) it manually and to indicate by ourselves that it is trusted for us. 

It is proposed, to put it mildly, clumsily. The mere fact that a «security certificate» is proposed to be downloaded from a site, which uses no traffic encryption, is quite a gap in security because already at the download stage, it can be replaced with a bit different one, and you yourself will assign its status as a trusted one on your devices.

If you have a dip into a certificate itself, it will become even more interesting. This is how one of the certificates issued by the RSE «State Technical Service» looks like, whereof it is written in it in the clear.

«Security Certificate»: Crime without punishment?

And this is what the national «security certificate» looks like, which is proposed to be downloaded from https://qca.kz/. Not a word about the belonging to any state body.

«Security Certificate»: Crime without punishment?

Well, let’s see what the Facebook certificate information looks like. It is issued by DigiCert Inc. and signed by the relevant certificates, which are included in the list of the trusted ones in operating systems and browsers.

«Security Certificate»: Crime without punishment?
«Security Certificate»: Crime without punishment?
«Security Certificate»: Crime without punishment?

I suppose that you may have a question but what if the guys from DigiCert Inc. suddenly «want» to cooperate with any US intelligence agency, of course, as part of ensuring the US national security? Theoretically, of course, such possibility cannot be denied. And, if they «want» it, all the delights with reading the traffic will be the same as described for our national «security certificate». But only if it becomes known about even one such case (and when using certificates to attack MITM, it will not be possible to hide it), certificates of this company will be recognized as untrusted, which means that all certificates signed by them will automatically become untrusted. There will be a great scandal. All their quite considerable business will go to pot, and they will even have to apply for a full state support for a substantial period. In other words, I regard the probability of such event as negligible.

Moreover, if normally certificates signed by DigiCert Inc. are used to access Facebook, then in case of the successful launch of the national «security certificate» in MITM mode, the trafficfrom the user’s browser to the special device of the competent authority will be encrypted by the national certificate, and from the special device to Facebook – by the same certificate of DigiCert Inc. That is to say, with this scheme, encryption will be simply added with our certificate. Will it increase the level of your information security? Of course not.

It can be assumed that under the guise of declared benefits for the citizens of our country, the state is trying to ensure the national security of the Republic of Kazakhstan and just thinks it much to tell about it. If so, then the goal is, of course, noble but it just does not fit with the Law of the Republic of Kazakhstan «On the National Security of the Republic of Kazakhstan» No. 527-IV dated January 06, 2012.

According to this law, the ensuring of the national security is the activity of the National Security structure aimed at protecting the national interests from real and potential threats. And the national interests are a set of legislatively recognized political, economic, social and other needs of the Republic of Kazakhstan, on the satisfaction of which the ability of the state to protect human and civil rights, the values of the Kazakhstan society and the foundations of the constitutional system depends.  

So, in the current actions related to the national «security certificate», I personally can see neither the protection of human and civil rights, nor the values of the Kazakhstan society, nor the foundations of the constitutional order.

In relation to the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan, the Ministry of Internal Affairs of the Republic of Kazakhstan, and the National Security Committee of the Republic of Kazakhstan, I do not know for certain, a high-ranking officer of which of the above state authorities is the initiator of this project (I’d like to believe that it is not the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan) but experience suggests that he serves in one of them. It will be pretty good if he makes a statement and acknowledges that it is him. The people should know their «heroes» by sight. Even though it could be the President of Kazakhstan. If so, this is the same time for such acknowledgement.

The employees of telecom service providers of the Republic of Kazakhstan, I know many of you personally, we worked together with someone at different times, and we are still maintaining close contact with some people and have friendship of a lasting consistency with others. Yes, I understand that you have been trying for several years to convey information about the harm of such measures to those who take the decision. Yes, I understand that what is written below may not be pleasant to you, and some may easily put me on the list of their enemies. But the truth is more important. Now you are accomplices. Everyone who is involved in the implementation of this criminal, in my opinion, pilot project, from the chief executives of companies to the employees who sent the SMS message about the certificate installation. Unlike the guys in uniform (they must obey orders), you had a choice. You will say: «What choice? This is a legal requirement!» Let us assume that the legislation of our country requires it indeed. But no one bothered to refuse and leave of their own free will. I understand that to lose now not a bad position in a far from bad company it is not a fun, here each of you made a choice for yourself. You clearly understood earlier and understand now the possible consequences of the operation of the «security certificate» for citizens in the form, in which it is now. So, I repeat, for me, you are accomplices of what I call a crime against the People. I already said it to some of you in our private conversation. If you want to discuss some more, I am always open to dialogue with real experts.

And what is going on in the world? What about the national «security certificates»? As far as I know, not a single similar project in the world has been successful. However, some companies use their own certificates on their servers and on their employees’ work devices. But you should admit that the employer-employee and the state-citizen relations are not the same thing.

The People of Kazakhstan, my fellow countrymen, you are free people of the Great Steppe and are quite capable of deciding on your own whether to install the national «security certificate» on your devices or not. I have set the task to myself just to talk openly about my vision of what is going on, the advantages and disadvantages of the certificate installation. I do not ask to believe me or anyone else. Get information from different sources, compare it and draw conclusions. Whatever your choice is, I will respect it.

Vladimir Turekhanov, 21.07.2019