Is Kazakhstan about to man-in-the-middle diddle all of its internet traffic with dodgy root certs?
Come on, guys. Don't go giving the Russians any ideas
Kazakhstan may be about to intercept and decrypt its citizens' internet traffic – by ordering them to install rogue security certificates.
On Monday, the nation's dominant telco Kazakhtelecom JSC said it and other operators are "obliged" by law to crack open people's HTTPS connections, and that this surveillance will begin from January 1.
This spying will be made possible by insisting everyone installs a "national security certificate" on their computers and mobile gadgets – most likely a root CA certificate just like the ones found in Lenovo's Superfish and Dell's Superfish 2.0 scandals.
This cert will trick web browsers and other apps into trusting the telco's systems that masquerade as legit websites, such as Google.com or Facebook.com. Rather than connect directly to those sites, browsers will really be talking to malicious man-in-the-middle servers.
Shortly after word spread of the interception caper, the statement was pulled from the Kazalhtelecom site. The Register has asked the ISP if this means the policy has been cancelled, but has yet to hear back. Apparently, details on how to install the insecure "security certificates" will appear on the telco's website this month.
Forcing people to install dodgy root CA certs allows the government to grab people's passwords and other sensitive data right off the wire, keep tabs on citizens online, and even censor webpages.
We believe that by ordering people to install the cers on their machines and handhelds, Kazakhstan will be the first country to resort to such measures.
"According to the law, telecom operators are obliged to perform traffic pass using protocols that support coding using security certificate, except traffic, coded by means of cryptographic information protection on the territory of the Republic of Kazakhstan," the translated announcement reads.
"The national security certificate will secure protection of Kazakhstan users when using coded access protocols to foreign Internet resources."
The notice said that encrypted traffic between systems located within Kazakhstan will not be subject to the requirement.
Kazakhstan has a history of strict censorship policies. Civil liberties site Freedom House has noted the particularly tight controls Kazakhstan's government keeps on media and political organizations, and the site's 2015 freedom of the net report for Kazakhstan noted that earlier in the year, government officials outright blocked internet access in parts of the country due to civil unrest. ®