Paper summary: Investigating Large Scale HTTPS Interception in Kazakhstan (IMC 2020)

Investigating Large Scale HTTPS Interception in Kazakhstan
Ram Sundara Raman, Leonid Evdokimov, Eric Wustrow, J. Alex Halderman, Roya Ensafi

This paper is a measurement study of the TLS interception that took place in Kazakhstan from 2019-07-17 to 2019-07-26 and from 2019-07-30 to 2019-08-07. On 2019-07-17, ISPs sent text messages to their customers, instructing them to install a government-issued trusted root certificate. The research team began preliminary experiments a few days later, on 2019-07-20. They used Hyperquack, in-country VPSes, and RIPE Atlas probes to see whether it the interception could be detected using remote measurement techniques. The Hyperquack and RIPE Atlas tests found several domains for which bogus certificates were injected, showing that interception was occurring and could be measured in either direction. With this knowledge, they began large-scale experiments on 2019-07-22. They made TLS handshakes from the U.S. to servers in Kazakhstan, combined with direct measurements to the same server from a VPS located in the country. They tested SNI values from an Alexa top 10,000 list. The targets of the measurements were HTTPS servers in Kazakhstan that had a valid TLS certificate.

The experiments found 37 SNIs that caused the injection of a bogus certificate signed by the government’s root. The affected domains were mostly those of Google, Facebook, and (Table 2). But not every network path into Kazakhstan was affected—only those that passed through AS 9198 (Kazakhtelecom). TTL-limited probes from the in-country VPS further confirmed the location of the interception equipment in AS 9198, suggesting a centralized installation of interception equipment. A curious detail is that the subject names in the injected certificate were copied not from the client’s SNI, but from the genuine certificate of the destination server. In order to know what subject names to use, the interception system had to probe destination servers on the fly; the team recorded these probes and the interception system’s unusual TLS fingerprint (archive).

Major web browsers shipped changes to block the use of the government root certificate, though only after interception had already stopped. The authors recommend a quicker response from browser makers in the future. They further recommend being prepared for future interception events like this one.

Weeks after the paper was published, on 2020-12-06, the TLS interception system was reactivated with a different certificate, but only for about one day. This time, browser makers reacted more quickly, blocking the certificate on 2020-12-18.

Thanks to the authors for reviewing a draft of this summary.