Skip to main content

Microsoft is making it easier for the Thai government to break web encryption

Microsoft is making it easier for the Thai government to break web encryption


Microsoft is the only major tech company to trust Thailand’s national root certificate by default, report says

Share this story

Microsoft Store stock

The Thai government is looking to take greater control over its citizens' web encryption, according to a new report from Privacy International, and Microsoft is part of the problem. 

At issue is the Thai government's root certificate, which is used to verify HTTPS-enabled websites. Windows automatically trusts the certificate, but many competing operating systems do not. Used maliciously, the root certificate could allow the government to smuggle malware into otherwise legitimate pages, or present counterfeit versions of entire websites. Privacy International cites Thailand's history of government surveillance as good reason to be suspicious.

The report also claims that a 2014 Facebook outage in Thailand, which occurred amid a military coup, was orchestrated not only to censor users but to circumvent the social network's encryption, as well.

Trusting the Thai certificate “should not be taken lightly”

The Thai government has long exerted tight control over the internet, and the Thai military junta has only escalated the crackdown since taking power in 2014. Citizens have been jailed for criticizing the monarch on social media, and the legislature has moved to centralize its web controls. The report also notes that the government conducted downgrade attacks in September 2014, forcing users to send emails via unencrypted channels where they can be easily intercepted.

“Trusting a national root certificate from a country whose governments have a history of human right violations and a poor record on civil rights and freedom of speech should not be taken lightly,” Eva Blum-Dumontet, a research officer at Privacy International, said in a statement

Microsoft is the only major web company that automatically trusts the Thai national root certificate. Apple’s Mac OS X does not accept the national root certificate by default, nor do the Chrome or Firefox web browsers. In its report, Privacy International called on Microsoft to not trust the certificate by default “as a precautionary measure.”

In a statement to The Verge, Microsoft said Thailand’s root certificate meets its standards. “Microsoft only trusts certificates issued by organizations that receive Certificate Authority through the Microsoft Root Certificate Program,” a Microsoft spokesperson said. “This program is an extensive review process that includes regular audits from a third-party web trust auditor. Thailand has met the requirements of our program and you can review the details of the latest audits here and here. This thorough review, backed by contractual obligations is not reflected in Privacy International’s assessment of the risks.”

This isn’t the first time that concerns have been raised over certificates. Last year, both Mozilla and Google announced that they would no longer trust certificates issued by WoSign and StartCom, two China-based certificate authorities, amid concerns over suspicious activity. (StartCom, an Israeli CA, was quietly acquired by WoSign in 2015.) The web companies found that WoSign had back-dated some certificates, raising the possibility that they could be used to impersonate websites or conduct surveillance.

The report also provides new details on a brief Facebook blockage that occurred in May 2014. At the time, Thailand’s Information Communications Technology (ICT) Ministry said that the social network was blocked to “stop the spread of critical messages” about the military coup. A military spokeswoman later blamed the half-hour outage on “technical problems with the internet gateway.”

But Privacy International, citing sources close to the ICT and in Thailand’s telecommunications sector, reports that although the government may have been trying to muzzle online criticism by blocking Facebook, it was also trying to circumvent the service’s SSL encryption. One source in the telecoms sector was asked to contact Facebook about sending traffic over HTTP, rather than the more secure HTTPS protocol.

The government’s so-called “door-knocking” strategy does not appear to have worked, since there is no evidence that encryption was circumvented on Facebook. But Privacy International says the incident underscores a broader authoritarian trend in Thailand, where internet service providers (ISPs) and telecom companies are closely linked to the government, and where authorities are increasingly pursuing low-cost forms of online surveillance.

“The evidence of the revolving door between the corporate sector and the government means that those at the head of communication service providers are always in close contact with the government,” the report reads, “thus enabling softer forms of political influence to surveil people and ultimately erode people’s privacy.”

Update January 25th, 7:35PM ET: Updated with a statement from Microsoft