Internet service providers (ISPs) based in Kazakhstan are being instructed to force their users to install government-issued root certificates on their devices to allow agencies to intercept web traffic.
The Kazakh government has taken concrete steps towards bypassing this added layer of protection by launching an encryption-busting Qaznet Trust Certificate in the nation’s capital Nur-Sultan, according to local media. This is more commonly known in security circles as a man in the middle (MiTM) attack.
Important ➤#Kazakhstan Government begins "forceful" interception and monitoring of encrypted #HTTPS Internet traffic for all its citizens.
Learn more: https://t.co/Dq8LCpInOS
—by @unix_root pic.twitter.com/tKdPMyI6XO
— The Hacker News (@TheHackersNews) July 19, 2019
Paul Bischoff, Privacy Advocate at Comparitech.com:
“The Kazakh government’s decision to intercept all HTTPS traffic is about surveillance, not security. This is a man-in-the-middle attack at nation-state scale. It allows ISPs and the government to view the unencrypted internet traffic of everyone in the country. Considering that more than half of the websites visited today use HTTPS, this is a huge endeavour. It actually worsens the cybersecurity of everyone in the country. I’d give it a month before the whole thing falls apart.
It’s up to web browser makers to take a stand and prevent this sort of attack. Mozilla and Google et al have a couple of options. They can disallow Kazakhstan’s HTTPS certificate altogether, which would make their browsers unusable in the country. Or they could add some sort of indicator to let users know that the government is spying on them.
A VPN might be a good solution in the meantime.”