Under the pretext of a “cyber security exercise”, the Government of Kazakhstan is forcing residents of the capital Nur-Sultan (formerly Astana) to voluntarily install a security certificate for Internet access, which facilitates the interception of data traffic through encrypted connections. HTTPS. The rule applies to accessing all foreign websites.
Once installed, the security certificate allows government agencies to intercept HTTPS traffic generated on users’ devices using the MITM (Man-in-the-Middle) method, with any external connection first passing through state-controlled servers. Without the “inconvenience” of an unknown encryption key, intercepting communications becomes an almost trivial task and censorship can take unsuspected forms. For example, the government may not only block certain sites, but also selectively filter their content, possibly substituting certain information with its own versions.
Internet access, only with interception
As of today, December 6, 2020, Kazakh Internet Service Providers (ISPs), such as Beeline, Tele2 and Kcell, are redirecting users from Nur-Sultan to web pages that show instructions on how to install the government certificate. Earlier this morning, Nur-Sultan residents also received text messages informing them of the new rules.
Without that security certificate, Internet users in Kazakhstan cannot access sites such as Google, Twitter, YouTube, Facebook, Instagram and Netflix.
This is the Kazakh government’s third attempt to force citizens to install root certificates on their devices after a first attempt in December 2015 and a second attempt in July 2019. Both previous attempts failed after browser manufacturers blacklisted the certificates. government.