Experts from multiple digital forensics firms report that the Kazakhstan government has begun intercepting all HTTPS traffic detected within its territory.
Internet service providers companies operating
in the country have already been warned by the government; from now on, they
will have to force their respective customers to install certificates released
by the Kazakh authorities on all their browsers and Internet-connected devices.
Digital forensics specialists say that once the
user installs these web certificates, they will be granting the government
access to their HTTPS traffic to read their content, encrypt it, and send it to
an unknown location. For a few hours now, the inhabitants of Kazakhstan trying to
access the Internet have been founding a message that redirects them to a
website detailing the steps to follow to install these government-developed
root certificates.
It seems that internet service providers have
no choice but to force their customers to install these certificates, as this
is an irrevocable decree of the Kazakh government.
Through its website, the Ministry for Digital
Development, Innovation and the Aerospace Industry stated that this measure
only applies to Internet users living in Nur-Sultan, the capital of Kazakhstan.
However, digital forensics experts say that users from other regions have also
been forced to install the certificate. Some users even claimed to have
received a text message asking them to install these certificates, reported some
local media.
With regard to this measure, some Kazakh
government officials have mentioned that “the GOV intention is to improve
the protection of our citizens, private companies and public institutions that
use the Internet on a daily basis; anyone can be a victim of hackers, online
scams or malware
infections.”
This is not the first time Kazakhstan has tried
to implement a similar measure. According to specialists from the International
Institute of Cyber Security (IICS), the government’s first attempt to bulk
install a certificate occurred in December 2015; the intention was that, as of
January 2016, all Internet users in the country would have this certificate
installed on their computers.
