Here’s how SSL in North Korea is used
Something about North Korea’s secrecy and eccentric announcements has made it one of the internet’s favorite obsessions. Their leaders have inspired their own memes, and new photos or news about the country often goes viral.
The country’s storied internet fame got new a chapter last year, when they made headlines after the breach of Sony Pictures was attributed to them, though many in the cyber security community doubted that claim.
North Korea is incredibly oppressive and controlling when it comes to information and speech. They have their own official operating system and web browser, which have been modified to prevent access to the global internet.
While internet in North Korea does technically exist, it’s limited to an internal network with very few people having access to the rest of the world.
As outsiders, the specifics of internet access and networking in North Korea is not well known. But earlier this month, we got to take a closer look at the state of North Korea’s internet due to a temporary change in the DNS configuration for the .kp domain.
Internet in North Korea
Most countries have ccTLDs, or country code top-level domains like .kp, which are intended for that country’s government, businesses, and organizations. Most TLDs are configured so that you can query their DNS records and see what domains exist.
However, that has never been the case for .kp. This means that the internet mostly had to stumble upon the websites of North Korea.
But, for an unknown reason, the .kp TLD was briefly set to allow DNS zone transfers. This means that the DNS records could be queried and copied. This allowed the TLDR Project to capture all the existing .kp domains, giving us a look at the full extent of North Korea’s websites.
There are 28 websites. That’s right, just 28. For the most part these were normal websites, including an airline booking website, a cooking website, and a university.
Given how different North Korea’s internet is, we took a closer look at how they use SSL.
(Note: The .kp websites have intermittent availability so it’s not unusual if they appear to be down.)
North Korea’s PKI
When you try connecting to the .kp websites over HTTPS some of them return an SSL certificate, issued by an internal CA. This certificate is for “friend.com.kp”, a website which appears to be about fostering relationships with North Korea and educating visitors about the country. Other sites like cooks.org.kp and korelcfund.org.kp return the same certificate and all share the same IP address (220.127.116.11), suggesting the webserver they are hosted on does not support SNI (Server Name Indication, an extension to TLS that allows a server to provide the correct SSL certificate when hosting multiple sites from one IP address).
For the most part, these servers refuse connections over HTTPS, except for one login page on friend.com.kp I was able to find. Most of the sites, besides the previous link, do not seem to have public-facing login or registration functionality. The airline website, which provides flights between China and North Korea, does allow you to create and login to accounts over HTTP, but does not accept online payments. The server only supports TLS 1.0 and SSL 3.0, and is lacking in modern configuration.
The issuing CA of this certificate is “friendCA,” a private CA that is not trusted
by the world’s computers. Since we have no way of accessing the internet from within North Korea, we have no idea if they use this “friendCA” internally.
This CA is operated by the “CCRFC” and the OU (Organizational Unit) is “caTeam”. This suggests that there is some sort of internal PKI operated by North Korea.
Both certificates were created on October 30th, 2015 and both use 1024-bit RSA keys signed with SHA-1. In 2015, 1024-bit keys would have been quite out of date – due to security vulnerabilities keys below 2048-bits have been forbidden with publically-trusted certificates since 2013.
Looking at the other fields in the certificate, it’s clear that North Korea’s PKI does not follow strict standards. Unsurprisingly, their certificates do not conform to RFC 5280, which provides standards for formatting X.509 certificates (which SSL certificates are). A private CA would have no obligation to do so, but it’s not unheard of to find private CAs following the standard or some adaptation of it.
Neither certificate contains a keyUsage field, which dictates what functions the certificate can perform. Normally you would see “Digital Signature” in all certificates and “Certificate Signing” with CA certificates. The friend.com.kp certificate also lacks a Basic Constraints field.
Both certificates have one SAN (Subject Alternative Name), which is an additional identity that the certificate is valid for. Usually this is another hostname (for example, Subject CN=www.Google.com, SAN=Google.com). However in this case, the SAN allows the certificate to be used to sign/encrypt for an email address (“RFC822 Name = firstname.lastname@example.org” for the friend.com.kp certificate, and “RFC822 Nameemail@example.com” for the friendCA certificate).
The certificates also contains the “Netescape Comment” and “Netscape Cert Type” fields, which are legacy extensions meant for the Netscape browser. We know that “Naenara Web Browser”, the official browser of North Korea, is out of date, but not that out of date.
Given that North Korea does not have ‘normal’ internet or networking, these omissions are not likely to cause many problems. Standards are needed on the internet where you need interoperability, have a globally trusted PKI, and a huge number of client software. But in North Korea’s one-browser limited access intranet, they have very different concerns and needs.
If you would like to take a look at these certificates for yourself, you can download them on Github.
Publically-Trusted SSL In North Korea
We don’t know of any U.S. based CAs that will issue certificates to North Korean websites due to trade sanctions. Not every country has the same sanctions against North Korea, so they do have other options if they wanted to seek out publically-trusted certificates.
Because North Korea controls access to computers and the internet, they would not have the same need for publically-trusted certificates. They could simply install a private root CA into the countries’ official Red Star OS. The country may want to avoid doing business with any commercial CA because it could expose information about their network.
Searching Certificate Transparency data only shows three known publicly-trusted certificates for .kp domains, all of which were issued by the Israeli CA StartCom.
Because many CAs do not log certificates, there may be more publicly-trusted SSL certificates that we just do not know of. Besides voluntary logging, crawling (such as by Google’s search engine indexers) is the other primary means for adding certificates to databases such as crt.sh. Because North Korea’s network is inaccessible from outside of the country, crawling these certificates would be impossible.
Two of the StartCom certificates are for smtp.star-co.net.kp, and the third for www.portal.net.kp. Neither of these sites seem to be accessible on the internet.
Star Joint Venture Company is the IANA-assigned operator of the .kp domain. The contact information listed in the IANA directory lists email addresses @star-co.net.kp, as do many of the .kp websites. The existence of an SSL certificate for smtp.star-co.net.kp suggests that this an address they route email traffic through and that they have taken the precaution to make secure connections available.