Since yesterday (July 17, 2019), the Kazakhstan government has started to intercept all HTTPS internet traffic inside its borders by forcing its citizens to install a government-issued root certificate on all their internet-connected devices and in every browser.
This certificate allows the Kazakhstan government to decrypt HTTPS internet traffic, view its contents, and then re-encrypt it with their certificate before it is sent to its destination, making it easy for the Kazakhstan government to surveil its citizens’ online activities.
The certificate is being issued by local internet service providers (ISPs) who have been told by the government that they must tell their end-users to install the certificate on their devices.
Most of the Kazakstan ISPs are forcing their customers to install the certificate by re-directing them to pages with instructions on how to install the certificate. Some Khazakstan media outlets are also reporting that certain ISPs are sending out text messages to their customers (Google Translate link) which tell them to install the government-issued root certificate.
The Kazakhstan government and ISPs are positioning the certificate installation as beneficial to citizens and not mentioning the privacy-invasive nature of this scheme.
For example, the message about this certificate on Kazakhstan ISP Kcell’s website reads:
“In connection with the frequent cases of theft of personal and credential data, as well as money from bank accounts of Kazakhstan, a security certificate was introduced that will become an effective tool for protecting the country’s information space from hackers, Internet fraudsters and other types of cyber threats.
The introduction of a security certificate will help in the protection of information systems and data, as well as in identifying hacker cyber attacks of Internet fraudsters on the country's information space systems, private, including the banking sector, before they can cause damage.
A security certificate is a set of electronic digital symbols used to pass traffic that contains protocols that support encryption. Thus, it will allow Kazakhstani Internet users to be protected from hacker attacks and viewing illegal content.
In accordance with the Law of the Republic of Kazakhstan “On Communications” and paragraph 11 of the “Rules for Issuing and Applying a Security Certificate”, the Company informs subscribers about the need to install a “Security Certificate” on devices with Internet access. In accordance with the requirements of the Legislation, telecom operators ensure the distribution of a security certificate among their subscribers with whom contracts for the provision of telecommunications services have been concluded.
We draw the attention of users to the fact that the installation of a security certificate must be performed from each device that will be used to access the Internet (mobile phones and tablets based on iOS / Android, personal computers and laptops based on Windows / MacOS).
In the absence of a security certificate on subscriber devices, technical limitations may arise with access to individual Internet resources.”
The Kazakhstan government’s decision to infringe on the privacy of its citizens has sparked discussions among developers of the Mozilla Firefox browser on the best way to deal with this going forward. Currently, the most popular suggestion is adding a banner or notification to the browser which alerts users when the Khazakstan government is spying on them.
This isn’t the first time the Kazakhstan government has attempted to force its citizens to install a government-issued root certificate which decrypts their HTTPS internet traffic. Way back in 2015, the country’s government ordered its citizens to install a certificate but ultimately canceled these plans after multiple organizations sued the Kazakhstan government, citing fears that the certificates would weaken the security of the country’s internet traffic.