Do you want to know the reason why? To "protect them from cyber threats"!



Kazakhstan government has started intercepting all HTTPS internet traffic inside its borders, starting July 17.

Governement instructed local ISPs to force their users into installing a government-issued certificate on all devices, and in every browser: it allows government agencies to decrypt users' HTTPS traffic, look at its content, encrypt it again with their certificate, and send it to its destination, acting an actual MitM attack.

So, since yesterday, Kazakh users trying to access the internet have been redirected to web pages that contained instructions on how to install the government's root certificate in their respective browsers, may it be a desktop or mobile device.

Now, Tele2, one of the major Kazakh ISPs, has finally started redirecting all HTTPS connections of its customers to a web page containing certificate files and instructions on how to install it on Windows, macOS, Android, and iOS devices.

Other national ISPs, listed below, also have plans to start forcing their Internet users into installing the root certificate shortly to comply with the law.

- Beeline
- K-Cell
- Active (also lists allowed HTTPS websites)
- Altel
- Kazakhtelecom

The controversial advisory has been issued with respect to amendments to the Law on Communications 2004 (the "Communications Law") that the Kazakhstan government passed in November 2015.

https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html


Kazakhstan government says it's a measure to protect citizens

The Kazakh Ministry of Digital Development, Innovation and Aerospace said the measure was

aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats.


Is not new

The Kazakh government first a similar measure in December 2015, when it ruled that all Kazakh user had to install their root certificate by January 1, 2016.

However, the decision was never implemented because the local government was sued by several organizations, including ISPs, banks, and foreign governments.

Furthermore, the Kazakh government also asked Mozilla to have its root certificate included in Firefox by default, but Mozilla declined.


And today?

Google, Microsoft, and Mozilla are discussing a plan of action on how to deal with sites that have been (re-)encrypted by the Kazakh government root certificate:

Sorry for bumping this old thread, but the Government of Kazakhstan has already started to use the certificate for MITM. Some information in news (on Russian):
https://tengrinews.kz/
internet/spetsialnyiy-
sertifikat-poprosili-ustanovit-smartfonyi-374216/

https://tengrinews.kz/
internet/problemyi-dostupom-
internetu-mogut-poyavitsya-astanchan-374068/

https://www.nur.kz/1805169-
problemy-s-dostupom-k-
internetu-mogut-poavitsa-u-zitelej-nur-sultana.html

Our internet providers via SMS inform us about the need to install this certificate that can be downloaded from their websites:
http://qca.kz
https://www.kcell.kz/ru/product/3585/658
https://www.beeline.kz/
almatinskaya-obl/about/press-
center/press/news/details/sertifikat-bezopasnosti/

Just to note, this certificate is not the same with the one that was published in this thread. Current one is issued by "Qaznet Trust Network"/"Security Certificate".

At the moment, providers started to use the certificate in the capital of Kazakhstan - Nur-Sultan (ex. Astana).

Did Mozilla have any way to prevent such attacks?

--
Thanks,
Pavel

https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/wnuKAhACo3E/cpsvHgcuDwAJ


Further readings