Update: On August 6, 2019, TSARKA, a cyberattack prevention body in Kazakhstan, announced that those who have established the National Certificate may delete it since it will no longer be needed. “Officials explained that it was happening because of the new security system’s testing,” TSAR mentioned. TSAR was officially informed that the tests were completed, all the tasks set during the pilot were successfully solved. However, they further said, “the need for its installation may arise in cases of strengthening the digital border of Kazakhstan within the framework of special regulations.”
On Wednesday, July 17, 2019, the Kazakhstan government started intercepting internet traffic within its borders. The government further instructed all the ISPs to force their users to install a government-issued root certificate by Quaznet Trust Network on all devices and in every browser.
With the help of this security root certificate, the local government agencies will be able to decrypt users’ HTTPS traffic, sneak into their content, re-encrypt it with the government’s own certificate, and later send it to its destination; thus allowing for the possibility of a nation-wide man-in-the-middle (MITM) attack.
Since Wednesday, all internet users in Kazakhstan have been redirected to a page instructing users to download and install the new certificate, be it in their desktops or on their mobile devices.
Why is the Kazakhstan government forcing citizens to install the root certificate?
A local media, Tengrinews.kz reported, the Kazakh Ministry of Digital Development, Innovation and Aerospace said only internet users in Kazakhstan’s capital of Nur-Sultan will have to install the certificate; however, users from all across the country reported being blocked from accessing the internet until they installed the government’s certificate.
Olzhas Bibanov, head of public relations service at Tele2 Kazakhstan, said, “We were asked by authorized bodies to notify Nur-Sultan’s subscribers about the need to establish a security certificate”.
In an announcement sent to the local ISPs the government said the introduction of the root certificate was due to “the frequent cases of theft of personal and credentials, as well as money from bank accounts of Kazakhstan”.
The government in the announcement mentioned, “The introduction of a security certificate will help in the protection of information systems and data, as well as in identifying hacker cyber attacks of Internet fraudsters on the country’s information space systems, private, including the banking sector, before they can cause damage. (…) In the absence of a security certificate on subscriber devices, technical limitations may arise with access to individual Internet resources”.
The government further assured the tool “will become an effective tool to protect the country’s information space from hackers, Internet fraudsters and other types of cyber threats.”
The Kazakh government has tried unsuccessfully before to get its root certificate implemented
Similar to current situation, in December 2015, the government tried their first attempt to force Kazakh users to install the root certificate. The government also sent across a notice to all users warning to install the certificate by January 1, 2016.
“The decision was never implemented because the local government was sued by several organizations, including ISPs, banks, and foreign governments, who feared this would weaken the security of all internet traffic (and adjacent business) originating from the country”, ZDNet reports.
The Kazakh government approached Mozilla to include their root certificate into their Firefox by default. However, Mozilla declined their proposal.
How can users ensure their safety from their own government?
If users do not wish to install such a certificate that puts their personal data at risk, they can try encrypting their internet traffic themselves or avoid the installation of this certificate. One way is, by switching to Linux as according to the announcement, Linux users are exempted from downloading this certificate.
“[…] the installation of a security certificate must be performed from each device that will be used to access the Internet (mobile phones and tablets based on iOS / Android, personal computers and laptops based on Windows / MacOS).”
Eugene Ivanov, a member of the Mozilla team says, “I think both Mozilla and Google should intervene into this situation because it can create a dangerous precedent, nullifying all the efforts of enforcing HTTPS. If Kazakhstan will succeed, more and more governments (eg. Russian Federation, Iran, etc.) will start global MITM attacks on their citizens and this is not good. I think all CAs used for MITM attacks should be explicitly blacklisted both by Mozilla and Google to exclude even [the] possibility of such attacks.”
The government claims that installing the certificate is entirely voluntary. However, a user on HackerNews adds to this claim saying, “Technically yes, installing the certificate is voluntary; it’s just that if you don’t install it you won’t be able to access the internet anymore when the government starts MITMing your connections”. This is possible. The government can take strict measures, which may not be in favour of the public and in turn force them to indirectly and involuntarily handover their personal data
In such cases people are highly dependent on browsers such as Firefox, Google, to fight for their rights.
A Kazakhstan user writes on HackerNews, “Banning this certificate or at least warning the users against using it WILL help a lot. Each authoritarian regime is authoritarian in its own way. Kazakhstan doesn’t have a very strong regime, especially since the first president resigned earlier this year. When people protest strongly against something, the government usually backs down. For example, a couple of years ago the government withdrew their plans of lending lands to foreign governments after backlash from ordinary people. If Kazakhs knew about the implications of installing this certificate, they would have been on the streets already.”
The user further adds, “If Firefox, Chrome and/or Safari block this certificate, the people will show their dissatisfaction and the law will be revoked. Sometimes the people in authoritarian countries need a little bit of support from organizations to fight for their rights. I really hope the browser organizations would help us here.”
Browser organizations are having a discussion to come up with a plan of action to deal with sites that have been (re-)encrypted by the Kazakh government’s root certificate. However, nothing is yet officially disclosed.
We will update this page on further updates to this news. Read Google’s discussion group to know more about this news in detail.