[ooni-talk] New Report on TLS MITM attacks and blocks in Kazakhstan

Thu Sep 19 21:05:58 UTC 2024

Hello,

Today, in collaboration with Eurasian Digital Foundation and Internet
Freedom Kazakhstan (IFKZ), OONI co-published a *new research report
documenting TLS MITM attacks and the blocking of news media, human rights,
and circumvention tool sites in Kazakhstan*.

Read our report in:
* *English*: https://ooni.org/post/2024-kazakhstan-report/
* *Russian*: https://ooni.org/ru/post/2024-kazakhstan-report/

Our report shares censorship findings based on the analysis of OONI data
collected from Kazakhstan over the past year, as well as legal analysis and
interviews with a few media representatives.

Our analysis of OONI data from Kazakhstan reveals:
* *TLS Man-In-The-Middle (MITM) attacks*
* *Blocking of at least 17 news media websites*
* *Blocking of petition sites and of the Russian language edition of
Amnesty International's website*
* *Blocking of at least 73 circumvention tool websites*

The blocked news media websites include:
* Many Russian news media websites (such as the Russian TV Channel
Tsargrad, Sputnik and Pogrom, the 360 Russian satellite TV channel, and the
Ferghana Information Agency);
* A few Kyrgyz news media websites (Kloop and Centralasia.media);
* One international news website (Vice News).

OONI data shows the targeted blocking of amnesty.org.ru, www.change.org,
www.ipetitions.com, and egov.press. Meanwhile, Amnesty International’s
English language website was accessible in Kazakhstan, as were many other
international human rights websites (such as Human Rights Watch).

OONI data also shows the blocking of numerous censorship circumvention tool
websites, including those of NordVPN, ExpressVPN, ProtonVPN, OpenVPN,
TunnelBear, and Surfshark VPN. However, OONI data suggests that both Tor
and Psiphon VPN were reachable in Kazakhstan during the analysis period.

In almost all cases, the blocks appear to be implemented by means of *TLS
interference*, as OONI data shows that the TLS handshakes result in timeout
errors after the Client Hello message. This is observed uniformly on all
tested networks in Kazakhstan during the analysis period.

Notably, we documented the *use of the latest government-mandated root
certificate authority (CA) – and its use to emit 6 distinct intermediate
certificates – that were used to carry out TLS MITM attacks, targeting at
least 14 domains on at least 19 networks in Kazakhstan*. We found that
these intermediate certificates were even being used to perform MITM
attacks during periods of certificate invalidity.

Overall, as the timing and types of blocked URLs are consistent across
networks, ISPs in Kazakhstan likely implement blocks in a coordinated
manner. Coordination among ISPs is further suggested by the fact that we
found the same certificate used by 19 distinct ISPs to implement TLS MITM
attacks. These TLS MITM attacks raise concerns because such practices
weaken the online privacy and security of internet users in Kazakhstan.

Learn more through our report: https://ooni.org/post/2024-kazakhstan-report/

We also summarize some of the findings in these social media threads:
https://x.com/OpenObservatory/status/1836831876524527853,
https://mastodon.social/@ooni/113166013137593960

We thank OONI Probe users in Kazakhstan for contributing measurements,
supporting this study.

~ OONI team.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/ooni-talk/attachments/20240919/c82ff214/attachment.htm>