MICROSOFT IS HELPING the military government in Thailand spy on opposition figures and anyone who dare utter a word against the country's monarchy by trusting the Thailand national root certificate in its operating system and browser software by default.
The claims have been made in a new report from campaigning group Privacy International released today, although in a statement given to INQ Microsoft rejected the organisation's claims, pointing to independent auditing of all root certificate authorities 'trusted' by the company.
Nevertheless, Privacy International asserts that Microsoft's support means that the Thai military government is potentially able to use its control of the root certificate authority to launch man-in-the-middle attacks, in order to capture people's log-in details to social media accounts, online banking accounts, and more, according to the campaigning organisation.
Nation state control over root certificate authorities has been (ab)used by governments in the past, including the authoritarian government of Tunisia, until its overthrow in the Arab spring in January 2011.
Neither Apple, nor Google, nor Mozilla trust Thailand's national root certificate by default.
"The reason the redirection toward a malicious website is not detected is because a user's computer trusts the root certificate. Operating systems like Mac or Windows come with a series of trusted root certificates by default. As long as your operating system trusts a root certificate it can be impossible to detect a malicious use," suggests the report.
"In addition, web browsers can have their own independent certificate stores that may not match that of the operating system. This can be good and bad. If an operating system does not trust a given certificate but the browser does, the user will be unlikely to be given a warning about an untrustworthy site.
"However, the more likely scenario is that a browser will trust a subset of those certificates trusted by the operating system. Of course, other services, such as email and virtual private network may rely on the operating system trust store and therefore be vulnerable to attacks that SSL web traffic may not."
The claims are made in a new report, "Who's That Knocking at my Door? Understanding Surveillance in Thailand", which was released on Thursday by Privacy International.
The organisation claims that Thailand's military government is using a combination of direct control of communications companies and the deployment of various techniques to crack encrypted communications in order to spy on people. Control of the nation's own root certificate authority is just one aspect of this surveillance strategy.
The Thai government has also been deploying its archaic lese-majeste laws - laws against insulting the monarchy - against opponents following the death of Thailand's late King Bhumibol.
"It is concerning to see that Microsoft trusts the Thai national root certificate by default when every other company we looked at - Apple, Mozilla and Google - appears to have made the decision not to trust it," said Privacy International research officer Eva Blum-Dumontet.
She warned that Microsoft's decision made Windows users in Thailand particularly vulnerable to invasions of privacy and state surveillance "should the Thai military government misuse the root certificate".
She added: "Trusting a national root certificate from a country whose governments have a history of human right violations and a poor record on civil rights and freedom of speech should not be taken lightly."
Thailand's government has exerted tight control of the internet since the first internet service providers were allowed to set-up in the country in December 1994.
Privacy International also suggested that the 30-minute cut in access to Facebook in May 2014 following the military coup was made in error. The incoming Thai government really wanted to spy on communications and conversations being carried out by Thai citizens on the social networking platform in order to be able to prevent opposition to the coup gathering pace.
"The military government may indeed have tried to ban Facebook to shut down dissent. However, our sources suggest that the strategy was not a simple Facebook shut down, but an attempt to circumvent SSL encryption," claimed Privacy International in its report.
It claims that the Thai government approached Facebook to request that it route traffic over unencrypted HTTP instead of HTTPS to make it easy to spy on people. "As no evidence suggesting the Thai government had managed to circumvent encryption at that time, we assume the attempt was not successful," concludes the report.
"This discovery raises vital questions regarding the motivation for internet shut downs in the rest of the world and demands that closer attention be paid to their potential role in facilitating surveillance," added Blum-Dumontet.
INQ contacted Microsoft for comment, which claimed that there was absolutely nothing to worry about.
"Microsoft only trusts certificates issued by organisations that receive Certificate Authority through the Microsoft Root Certificate Programme," a spokesperson said. "This programme is an extensive review process that includes regular audits from a third-party web trust auditor.
"Thailand has met the requirements of our program and you can review the details of the latest audits here and here (PDF). This thorough review, backed by contractual obligations, is not reflected in Privacy International's assessment of the risks." µ
Firm looks to take the shine off of the OnePlus 6T launch
Surface look-a-like promises impressive 20 hours of battery life
EUV is the golden goose of chip making
Firm behind pilot pledges system won't store any visual information about users