Kazakhstan: HTTPS Internet Traffic Under A Forceful Interception


If you are a citizen of Kazakhstan or even in there and unable to access the internet service without installing a certificate, then you are not the only sufferer. Once again, the Kazakhstan government has issued an advisory to all major local Internet Service Providers (ISPs) asking them to make it mandatory for all their customers to install government-issued root certificates on their devices in the bid to regain access to the Internet services. The root certificate in question has been labeled as “trusted certificate” or “national security certificate,” if installed, permits the ISPs to intercept and monitor users’ encrypted HTTPS and TLS connections, thus helping the government spy on its citizens and censor content. In short, the government is essentially launching a “man in the middle” attack on every resident of the country.

It became a great concern as to how installing a “root certificate” permits ISPs to decrypt HTTPS connection. For those unaware of the fact, your device and web browsers automatically trust digital certificates issued by only a specific list of Certificate Authorities (CA) who have their root certificates installed on your system. As a result, compelling Internet users into installing a root certificate that belongs to a Government Organization gives them the authority to generate valid digital certificates for any domain they want to intercept through your HTTPS traffic. Starting from April this year, the Kazakhstan ISPs began informing their users about the “national security certificate” that would be mandatory to install in order to continue uninterrupted access to a list of “allowed” HTTPS websites.Tele2, one of the major Kazakhstan ISPs, has finally started redirecting all HTTPS connections of its customers to a web page containing certificate files and instructions on how to install it on Windows, macOS, iOS and Android devices.

The most serious security implication of all is – since the users can only browse the non-HTTPS sites before installing the certificates, the certificate files are made available for download only over the secure HTTP connections that can easily allow the hackers to replace the Certificate files using MiTM attacks. Other national ISPs, listed below, also have the plans to start forcing their Internet users into installing the root certificate shortly to comply with the law.

Image Source: https://www.thehackernews.com

  • Active (also lists allowed HTTPS websites)
  • Altel
  • Beeline
  • Kazakhtelecom
  • K-Cell

The controversial advisory has been issued with respect to amendments to the Law on Communications 2004 (the “Communications Law”) that the Kazakhstan government passed in November of 2015. AS per the Clause 11 of Article 26, the “Rules for Issuing and Applying a Security Certificate,” all national communications service providers are obliged to monitor the encrypted Internet traffic of their customers using government-issued security certificates. The law has been intended to come in force starting the 1st of January, 2016 but the Kazakhstan government failed to force the local ISPs following a series of lawsuits. It seems now that the Kazakhstan government is making another attempt to force the amendments, putting privacy and security of millions of its citizens at risk from both hackers and as well as the government itself by breaking the fundamentals of Internet security protocol.

Image Source: https://www.thehackernews.com

According to the note that has been displayed by Internet providers, the amendments have been forced “in connection with the frequent cases of theft of personal and credential data, as well as money from bank accounts of Kazakhstan.” Some statements have been released that needs attention.

Image Source: https://www.thehackernews.com

These statements make it clear that the Kazakh government wants to take control over what content their citizens should be allowed to view on the Internet and also to turn Kazakhstan into a deep surveillance state. Also, since half education is more dangerous than no education, it is very concerning that ISPs are promoting “custom CA root certificate installation” as a better solution that boosts online security. The pages and the press releases created by ISPs with instructions on “why and how to install the government-issued certificate” doesn’t correctly explain the threat of installing a wrong root certificate as found. It literally leaves the majority of the citizens at risk of social engineering attacks, and an opportunity for the hackers to trick users into installing a malicious root certificate from unofficial websites and sources.

Apart from this, intercepting the HTTPS communications will also permit the ISPs to inject advertisements or tracking scripts on all web pages that the users visit. At this point in time, it is not much clarity as to how the major tech companies and web browsers will respond to this new privacy infringement of the Kazakhstan citizens.

Source: The Hacker News

Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.

Tags: #Darknet #.onion_Sites_Links #Deep_Web_Links_and_Web_Sites #Dark_Web_Links_Hidden_Wiki #Dark_net_Links


Please enter your comment!
Please enter your name here