Following moves by Google and Mozilla to block a Kazakhstan government-mandated certificate that facilitated state-sponsored internet surveillance, Apple has done the same in Safari.
Kazakhstan President Kassym-Jomart Tokayev
In July, the Kazakhstan National Security Committee said that it was rolling out a government encryption certification to protect citizens from “hacker attacks, online fraud and other kinds of cyber threats.” In practice, it was a classic example of a “Man in the middle” attack, that not only allowed the government to read any and all content posted on the internet by the user, it also allowed governmental-sponsored password and credential harvesting.
On Wednesday morning, Apple, Google, and Mozilla made moves to revoke the trusted status of the certificate that the Kazakh ISPs were forced to adopt. Additionally, according to the pair, both are introducing “technical solutions” that will prevent the system from functioning in the future.
“Apple believes privacy is a fundamental human right and we design every Apple product from the ground-up to protect personal information,” the company said in a statement to AppleInsider and other venues. “We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue.”
Reuters reports that Apple hadn’t yet taken measures, but AppleInsider has confirmed that the protections have been in place for at least 12 hours.
“People around the world trust Firefox to protect them as they navigate the internet, especially when it comes to keeping them safe from attacks like this that undermine their security,” Senior Director of Trust and Security at Mozilla Marshall Erwin said in a statement. “We don’t take actions like this lightly, but protecting our users and the integrity of the web is the reason Firefox exists.”
Google had a similar response to the matter, saying that “we have implemented protections from this specific issue, and will always take action to secure our users around the world.”
The Kazakh government shut down the system on August 7. It said that the roll-out was only a test, and declared that should attacks increase again it could, and would, deploy the system again.