Four years ago, a huge scandal shook Kazakhstan’s Internet users. In 2015, the government created a so-called national security certificate, which would have made it mandatory to the country’s Internet users to install a government-controlled root certificate to their devices. The only problem was that it would have allowed the regime through local Internet service providers to intercept, decrypt and re-encrypt traffic flowing through the systems it controls creating a man-in-the-middle attack on HTTPS traffic.
The regulation would have come into force on January 1, 2016, but the idea got so much backlash that it was backed away from, so the deadline came with no actual effect taking place. The fact that Mozilla declined the request to include the state’s root CA as trusted in their new browser builds, did not help the government’s attempt either.
After this, the topic did not have a lot of public discussion until the late summer of 2019, when Kazakh Internet service providers (ISPs) requested their customers to install the government’s root certificate, called Qaznet Trust Network on their devices. The main problem with that is the fact that if a root CA is installed manually by a user, they trust a CA that can avoid the regulation of said browser’s strict policies and give it the possibility to carry out malicious acts.
Since then, several researchers prove that the Qaznet certificate would indeed target specific domains in which the traffic would be first decrypted, then encrypted with the censor’s own key before getting forwarded to the destination. Michigan University’s observatory, Censored Planet for instance tested around 10,000 domains and found 37 which trigger the fake certificate to be injected. These said sites are mostly social media-related and the list includes Google, Twitter, Instagram and Facebook.
Although local ISPs claim that Qaznet can help users with protecting them against fraud, hacking attempts and more, there are some serious concerns which include the government getting sensitive data not only from Kazakh citizens but foreign users communicating with them via HTTPS traffic as well. Several browsers such as Chrome, Firefox and Safari have blocked Kazakhstan’s state certificate, also advising habitants who installed the root CA to remove it and to use VPN or Tor to encrypt their traffic.
© 2021 Microsec Ltd. | Company registration number: 01-10-047218 | Tax number: 23584497-2-41