2020-raman-investigating

Investigating Large Scale HTTPS Interception in Kazakhstan

Ram Sundara Raman, Leonid Evdokimov, Eric Wustrow, J. Alex Halderman, Roya Ensafi · Internet Measurement Conference · 2020

canonical link →

Tags

censors: kz
techniques: dpi tls-fingerprint middlebox-interference

findings extracted from this paper

Following publication of the researchers' findings, Mozilla Firefox and Google Chrome shipped changes on August 21, 2019 that completely blocked the Qaznet Trust Network root certificate even if manually installed by users, preventing future re-activation of the interception system without deployment of a new root CA. The paper advocates that browsers display non-intrusive visual indicators whenever a custom root CA is in use, and calls for content providers to detect and share data on large-scale interception via TLS fingerprint monitoring.

§5 policy tls-fingerprint kz
Of the Alexa Top 10,000 domains tested, only 37 triggered interception; 20 were Google services, 7 were Facebook-affiliated, and others included Mail.Ru properties (vk.com, ok.ru) and Twitter — a social media and communication focus consistent with a surveillance rather than security motive. The interception system was intermittently active for 21 days (July 17 – August 7, 2019), including a four-day shutdown for tuning, with a median of 340 TLS hosts observing interception when active.

§4.2.5, §4.2.6 evaluation sni-blocking kz
Kazakhstan's 2019 HTTPS interception affected 7.0% of 6,736 measured TLS hosts when probed from North America and 24% when probed from inside the country; all affected paths traversed AS9198 (Kazakhtelecom), with 95% of injections occurring at two specific IP addresses (92.47.151.210 or 92.47.150.198), indicating a highly centralized interception infrastructure.

§4.2.1–§4.2.2 evaluation dpisni-blockingip-blocking kz
The Kazakhstan interception system connected back to the origin TLS server before issuing a fake certificate, and in doing so exposed a unique TLS fingerprint (hash f09427b5aaf9304b): it used TLS record-layer version 1.0, ClientHello version 1.2, and offered only 13 cipher suites — a fingerprint virtually unseen in normal HTTPS traffic — allowing content providers to detect when a connection was being intercepted.

§4.2.4 detection tls-fingerprintdpi kz
Kazakhstan's interception system triggered solely on the TLS SNI header: a connection was intercepted only if the SNI contained one of 37 targeted domains AND the path passed through specific AS9198 hops; the server's actual certificate needed to be browser-trusted but did not need to match the SNI domain, and interception could be triggered bidirectionally — from outside the country connecting to TLS hosts inside Kazakhstan.

§3.2, §4 detection sni-blockingdpi kz