[Cryptography] JSC notifies on introduction of National

Sat Dec 5 02:09:42 EST 2015

> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 3 Dec 2015 03:44:15 +0000
> From: Viktor Dukhovni <cryptography at dukhovni.org>
> To: cryptography at metzdowd.com
> Subject: Re: [Cryptography] JSC notifies on introduction of National
> 	security certificate from 1 January 2016
> Message-ID: <20151203034415.GC18315 at mournblade.imrryr.org>
> Content-Type: text/plain; charset=utf-8
> 
> On Wed, Dec 02, 2015 at 07:19:27PM -0500, Phillip Hallam-Baker wrote:
> 
>> http://telecom.kz/en/news/view/18729
>> 
>> According to the Law telecom operators are obliged to perform traffic 
>> pass
>> with using protocols, that support coding using security certificate,
>> except traffic, coded by means of cryptographic information protection 
>> on
>> the territory of the Republic of Kazakhstan.
>> 
>> The national security certificate will secure protection of Kazakhstan
>> users when using coded access protocols to foreign Internet resources.
> 
> Original: http://telecom.kz/news/view/18729
> 
>     Согласно Закону операторы связи обязаны осуществлять пропуск 
> трафика
>     с использованием протоколов, поддерживающих шифрование, с 
> применением
>     сертификата безопасности, за исключением трафика, шифрованного 
> средствами
>     криптографической защиты информации на территории Республики 
> Казахстан.
> 
>     Национальный сертификат безопасности обеспечит защиту казахстанских
>     пользователей при использовании протоколов шифрованного доступа к
>     зарубежным ресурсам сети Интернет.
> 
> My translation:
> 
>     According to the Law network operators are required to implement
>     use of the [national] security certificate for transmission of
>     traffic which employs encryption-capable protocols, with the
>     exception of traffic, encrypted by cryptographic security
>     systems on the territory of the Republic of Kazakhstan.
> 
>     The national security certificate will ensure the protection
>     of Kazakhstan users when using encrypted protocols to access
>     foreign Internet resources.
> 
> It goes on to say:
> 
>     АО «Казахтелеком» обращает особое внимание пользователей на то,
>     что установка сертификата безопасности должна быть выполнена
>     с каждого устройства абонента, с которого будет осуществляться 
> выход
>     в сеть Интернет (мобильные телефоны и планшеты на базе iOS/Android,
>     персональные компьютеры и ноутбуки на базе Windows/MacOS).
> 
>     Kazakh-telekom specifically brings to the attention of users
>     that the installation of the [national] security certificate
>     must be completed on each customer device that will be used to
>     access the Internet (mobile phones, iOS/Android tablets, personal
>     computers and notebooks running Windows/MacOS).
> 
> --
> 	Viktor.
> 

First question, how specifically will they detect if the certificate has 
been installed on a users device? Is there any way a user could go 
without the backdoor (aka government root certificate) undetected if 
they do not connect to a server outside of Kazakhstan?

Second question is does this apply to just the destination server, or 
does it also apply to hops along the pathway to the server? i.e. if the 
server is in Kazakhstan but the traceroute to that server momentarily 
leaves the national borders.

-- 
Cannon N. Ciota
Email: cannon at cannon-ciota.info
PGP Fingerprint: E7FB 0605 1BD4 8B88 B7BC 91A4 7DF7 76C7 25A6 AEE2