The Kazakhstan government is beginning to intercept all the encrypted traffic and to do it is forcing users in the country to install a certificate.
The Kazakhstan authorities issued an advisory to local Internet Service Providers (ISPs) asking them to allow their customers to access the Internet only after the installation on their devices
Once installed the root certificate (“trusted certificate” or “national security certificate) the ISPs will be able to spy on citizens’ encrypted HTTPS and TLS connections.
Since April, the Kazakh ISPs ar
By installing a root certificate issued by a Government Organisation allows the authorities to generate a valid digital certificate for any domain they want to intercept even if the user connects it via HTTPS.
Recently the Kazakh ISP Tele2 started redirecting all HTTPS connections of its customers to a web page containing the certificate and instructions on how to install the certificate on major OS.
The certificates are issued in compliance with the Law on Communications 2004 passed in November 2015. Clause 11 of Article 26, the “Rules for Issuing and Applying a Security Certificate,” states that national ISPs must monitor the encrypted Internet traffic of their customers using government-issued security certificates.
“In accordance with the Law of the Republic of Kazakhstan on Communications, Article 26 and Clause 11 of the Rules for Issuing and Applying a Security Certificate, communications operators ensure the distribution of a security certificate to their subscribers with whom they have contracts for the provision of communications services.” states Tele2.
“The law prescribes for carriers to pass traffic using protocols that support encryption using a security certificate, with the exception of traffic encrypted by means of cryptographic protection of information in the Republic of Kazakhstan.”
Experts pointed out that since users can visit websites only via HTTP before installing the certificates, it is possible that attackers can launch a Man-In-The-Middle attack to replace certificate files and spy on users’ connections.
The Kazakhstan government initially planned to force the installation of the certificate by January 2016, but evidently failed due to a series of lawsuits.
The authorities told to the citizens that the installation of the certificates is necessary to protect them from hackers.
“A security certificate has been introduced that will become an effective tool for protecting the country’s information space from hackers, Internet fraudsters and other types of cyber threats,” continues the note.
“The introduction of a security certificate will also help in the protection of information systems and data, as well as identifying hackers and Internet fraudsters before they can cause damage.”
“It will also allow Kazakhstan Internet users to be protected from hacker attacks and viewing illegal content.”
Clearly Kazakhstan aims at fully controlling the access to the Internet and apply censorship for not allowed content.
Giving a look at the Tor metrics for Kazakhstan it is possible to observe that since April the number of connected users through Tor is increased after the announcement of the first request of the government of installing the certificates.
(SecurityAffairs – Kazakhstan, surveillance)