NCALayer is a tool for signing documents and authorizing into Kazakhstani govt. services such as egov.kz. It's an application written in Java, and thus has to be installed into your machine. We won't discuss the inner mechanism of the app that much, yet I highly dislike the fact that it exists exactly like that.
One thing that we certainly have to mention is ✨safety✨ during the usage of it:
- Installation
- Use Firefox
- Place it into temporary folder
- Download always the latest version
- Immediately stop it after the required usage session is ended
Let us assume you've downloaded installation files from the corresponding website (I assume you downloaded from the actual website, at least to have a reason to blame if anything suspicous happens).
Before the actual installation remember to copy installation files into /tmp
folder (I'll tell later why).
$ cp ncalayer.zip /tmp
Now you have to install it. You can launch it via terminal app unzipping it, and launching the install script:
$ cd /tmp
$ unzip ncalayer.zip
$ bash ncalayer.sh
(I created a smol script you can take a look)
You have actually two ways to install which eventually ends up being only one. And these are GUI install guide (the one written above) and CLI one (you add --nogui
flag).
But the cli one doesn't work at all. You can test it out, I hope it's only me who has that problem. But the script itself needs huge load of requirements to launch, I can't understand why it couldn't be simpler.
After launching the script, you have to choose the folder, and it has to be: /tmp
. You can also choose some different temporary folder which cleares itself after every OS start.
The GUI has two flags (or three) to point out:
- Launch app during start
- Install certificates
Uncheck both of them. You don't need to install certificates right into your machine!
Great. We have NCALayer running right now. Now let's open Firefox and install the certificates. I assume that Firefox is not your main browser, and you use it solely for egov & ncalayer needs. But if Firefox is your main browser, search for ones which are based on Firefox.
- Read this link to find how to set up certificates from files. In order to instal certificates into firefox, you read this.
- Certificates located in
ncalayer.zip
file and they have .crt extenstion. At the last time, when this guide was written, certificates were located in/tmp/additions/cert
folder. - DO NOT INSTALL
root_rca.rct
file
You can't access govt. services without those certificates. But you have to isolate root CAs from the govt given one. Otherwise MITM might happen. And it's not necessarily distrust towards govt. but also the data security policies might lack from their side. I mean if govt. services or some middle node is hacked, they can basically sniff your https traffic easily, and that's not only about your private messages, but the bank card data might be sniffed as well. Better safe than sorry! Since Firefox is the only one which can do such thing, I prefer Firefox instead of having a VM.
We have already covered the installation into /tmp folder. Now let's ask why?!
I don't know what's inside the given java bytecode (you can see it from the ncalayer.sh
installation file, it has that bytecode). But the bytecode might contain anything (yet it would be better to use VM for such reasons, or apparmor, firejail).
And we're not even covering the network side of the installation guide (in order to restrict connections towards websites other than the govt. ones).
Yet placing it into /tmp
one would make the ports of ncalayer for other website inaccessible, if deleted after every launch.
Why would other websites might knock into NCALayer, I thought it's only for govt. services and only?
There are some websites that use NCALayer, and that can use it. For example document signing services are able to do that (I don't want to advertise the one I used, it's absolutely horrible).
13579
and 8443
ports are knocked there, so using you're reducing the cases for unwanted websites trying to get some data from NCALayer (or you).
NCALayer is an app which requires a lot of security and safety. Since one can basically do whatever they'd like to with your signing data, you always have to sure that your app is up to date. I mean check for latest version whenver you use it, since security fixes may show up. And again, they're really vital!
Same reason I mentioned above.
Add some changes made by @carnotaur, thanks a lot